CVE-2022-3025 – Bitcoin / Altcoin Faucet <= 1.6.0 - Settings Update to Stored XSS via CSRF
https://notcve.org/view.php?id=CVE-2022-3025
The Bitcoin / Altcoin Faucet WordPress plugin through 1.6.0 does not have any CSRF check when saving its settings, allowing attacker to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues El plugin Bitcoin / Altcoin Faucet de WordPress versiones hasta 1.6.0, no presenta ninguna comprobación de tipo CSRF cuando guarda sus ajustes, lo que permite a un atacante hacer que un administrador conectado los cambie por medio de un ataque de tipo CSRF. Además, debido a una falta de saneo y escape, también podría conllevar a problemas de tipo Cross-Site Scripting Almacenado. The Bitcoin / Altcoin Faucet plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.0. This is due to missing or incorrect nonce validation when saving plugin settings. • https://wpscan.com/vulnerability/66bc783b-67e1-4bd0-99c0-322873b3a22a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •