CVE-2023-4276 – Absolute Privacy <= 2.1 - Cross-Site Request Forgery to User Email/Password Change

https://notcve.org/view.php?id=CVE-2023-4276

09 Aug 2023 — The Absolute Privacy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1. This is due to missing nonce validation on the 'abpr_profileShortcode' function. This makes it possible for unauthenticated attackers to change user email and password via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El plugin Absolute Privacy para WordPress es vulnerable a Cross-Site Request Forgery (CSRF) en versi... • https://plugins.trac.wordpress.org/browser/absolute-privacy/trunk/profile_page.php • CWE-352: Cross-Site Request Forgery (CSRF) •