Cross-Site Request Forgery Vulnerability in WP Meta SEO Plugin by WordPress
CVE-2023-1028

4.3MEDIUM

Key Information:

Vendor
Wordpress
Status
WP Meta SEO
Vendor
CVE Published:
28 February 2023

Summary

The WP Meta SEO plugin for WordPress has a vulnerability that allows unauthenticated attackers to update plugin options through Cross-Site Request Forgery due to inadequate nonce validation on the setIgnore function. Attackers can exploit this flaw by tricking a site administrator into triggering a malicious request, enabling them to alter plugin settings without permission. It is crucial to update to the latest version to mitigate this risk.

Affected Version(s)

WP Meta SEO * <= 4.5.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/2870465/wp-m...
https://plugins.trac.wordpress.org/changeset/2870465/wp-m...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Marco Wotschka
.