CVE-2023-27444
WordPress DecaLog Plugin <= 3.7.0 is vulnerable to Cross Site Request Forgery (CSRF)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Cross-Site Request Forgery (CSRF) vulnerability in Pierre Lannoy / PerfOps One DecaLog plugin <= 3.7.0 versions.
Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Pierre Lannoy/PerfOps One DecaLog en versiones <=3.7.0.
The DecaLog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.7.0. This is due to missing or incorrect nonce validation on the get_settings_page function. This makes it possible for unauthenticated attackers to install the Device Detector (device-detector) or IP Locator (ip-locator) WordPress plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Cross-Site Request Forgery (CSRF) vulnerability in Pierre Lannoy / PerfOps One DecaLog plugin <= 3.7.0 versions.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2023-03-01 CVE Reserved
- 2023-03-05 CVE Published
- 2024-11-20 CVE Updated
- 2024-12-24 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
- CAPEC-62: Cross Site Request Forgery
References (1)
| URL | Tag | Source |
|---|---|---|
| https://patchstack.com/database/vulnerability/decalog/wordpress-decalog-plugin-3-7-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|