CVE-2023-2303

MEDIUM Year: 2023
CVSS v3 Score
6.1
Medium
Weakness Type
CWE-352
View all →

Vulnerability Description

The Contact Form and Calls To Action by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.6.4. This is due to missing nonce validation in the vcita-callback.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Related Vulnerabilities

CVE-2016-10865

MEDIUM
CVSS:6.1(Medium)

The Lightbox Plus Colorbox plugin through 2.7.2 for WordPress has cross-site request forgery (CSRF) via wp-admin/admin.php?page=lightboxplus, as demonstrated by resultant width XSS.

CWE-3522016

CVE-2016-11084

MEDIUM
CVSS:6.1(Medium)

An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.

CWE-3522016

CVE-2016-6158

MEDIUM
CVSS:6.1(Medium)

Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei WS331a routers with software before WS331a-10 V100R001C01B112 allow remote attackers to hijack the authentication of administrators...

CWE-3522016

CVE-2016-6642

MEDIUM
CVSS:6.1(Medium)

Cross-site request forgery (CSRF) vulnerability in EMC ViPR SRM before 3.7.2 allows remote attackers to hijack the authentication of administrators for requests that upload files.

CWE-3522016

CVE-2018-0444

MEDIUM
CVSS:6.1(Medium)

A vulnerability in the web-based management interface of Cisco Packaged Contact Center Enterprise could allow an unauthenticated, remote attacker to conduct a stored XSS attack against a user of the i...

CWE-3522018

CVE-2018-1432

MEDIUM
CVSS:6.1(Medium)

IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to cross-frame scripting which is a vulnerability that allows an attacker to load Information Server components inside an HTML...

CWE-3522018