Cross-Site Request Forgery Vulnerability in LadiApp WordPress Plug-in
CVE-2023-4731

4.3MEDIUM

Key Information:

Vendor
Wordpress
Status
Ladiapp: Landing Page, Popupx, Marketing Automation, Affiliate Marketing…
Vendor
CVE Published:
12 March 2024

Summary

The LadiApp plugn for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the init_endpoint() function hooked via 'init' in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to modify a variety of settings, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. An attacker can directly modify the 'ladipage_key' which enables them to create new posts on the website and inject malicious web scripts,

Affected Version(s)

LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… * <= 4.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/ladipage/trunk...
https://plugins.trac.wordpress.org/browser/ladipage/trunk...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

GiongfNef
.