Cross-Site Request Forgery Vulnerability in Multiple Page Generator Plugin for WordPress
CVE-2023-2608

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Multiple Page Generator Plugin – MPG
Vendor: CVE Published:; 17 May 2023

Summary

The Multiple Page Generator Plugin for WordPress is susceptible to Cross-Site Request Forgery, enabling attackers to execute time-based SQL Injection. This vulnerability arises due to the absence of nonce verification in the projects_list function and inadequacies in escaping user-supplied parameters. Attackers can exploit this by crafting deceptive links that, when clicked by an administrator, could lead to unauthorized SQL queries being appended to legitimate queries. This not only threatens data integrity but could also result in resource exhaustion. A patch in version 3.3.18 addresses these security issues, significantly mitigating associated risks.

Affected Version(s)

Multiple Page Generator Plugin – MPG * <= 3.3.17

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/multiple-pages...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 17, 2023
Vulnerability Reserved
May 9, 2023

Credit

Marco Wotschka