Vulnerable to Cross-Site Request Forgery

  • Resolved Stas

    (@web13)


    11 months ago

    Dear Support,

    The Disable User Login plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.7. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

    If I created this topic in the wrong place please delete it.

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Saint Systems

    (@saintsystems)

    While the plugin has always had nonce validation that prevents Cross Site Request Forgery, we just released v1.3.8 which adds user-specific nonce validation for each user row in the admin table to improve this and address any potential issue.

    Please update to 1.3.8 at your earliest convenience.

    Plugin Author Adam Anderly

    (@anderly)

    @stas, improved nonce verification has been added in v1.3.8/v1.3.9. Please update at your earliest convenience.

    Thread Starter Stas

    (@web13)

    Hello,

    Wordfence no longer complains about plugin security.

    Thanks for the quick resolution of the problem!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Vulnerable to Cross-Site Request Forgery’ is closed to new replies.