Cross-Site Request Forgery Vulnerability in Short URL Plugin for WordPress

CVE-2023-1604

4.7MEDIUM

Key Information

Vendor: Kaizencoders
Status: Short Url
Vendor: CVE Published:; 17 August 2024

Summary

The Short URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.8. This is due to missing or incorrect nonce validation on the configuration_page function. This makes it possible for unauthenticated attackers to add and import redirects, including comments containing cross-site scripting as detailed in CVE-2023-1602, granted they can trick a site administrator into performing an action such as clicking on a link.

Affected Version(s)

Short URL <= 1.6.8

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published.
Aug 17, 2024
Disclosed
Aug 16, 2024
Vulnerability Reserved.
Mar 23, 2023

Collectors

NVD DatabaseMitre Database

Credit

Etan Imanol Castro Aldrete