Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

I’m not aware of any such issues… ??

At first inspection of the mentioned buttons ALL functions that MIGHT be exploitable silently fail when there is no nonce as intended.

Users need to be logged in and click a specific button for this to work as is intended. Simply loading the url with the trigger will NOT work.

Sending a bogus link (for example via email) the trigger will NOT work since the nonce is missing and/or the user is not logged in.
And even if the trigger would work, these are common maintenance functiosn that take NO input, take NO variables and just execute simple tasks. There is no risk in that regard.

If the report is about some other flaw, i’m not aware of it so at best it’s a stupid/unclear report and at worst a inaccurate/poorly tested one…

The mentioned CVE doesn’t even exist…

Hey Arnan, does that mean we don’t have to worry? I got a message on wordfence scam talking about this vulnerability in ad-rotate plugin, came here and came across this post ??

As far as I can tell the 3 buttons they mention can not be triggered with a csrf attack. I believe the report to be false and their exploit either not tested, or just plain wrong.

I’ve had no reports from any other security service/database that something is wrong.
So indeed, no risk, no hack – as far as I can see. Refer to my earlier posts for more details.

That said, with the crappy reporting going on and how unclear the whole database of patchstack is I would strongly advise against using or trusting any of their services and/or reports and go with a more reliable and trustworthy resource.
They didn’t even bother to alert me of their findings… didn’t provide a proof of concept or even a clear description of the supposed issue…

And WordFence should know better as well than to trust this kind of idiocy – what a waste of internet ??

Addressed in version 5.9.1 – update now.

Thank you Arnan.