CVE-2021-4394: CSRF
First published: Sat Jul 01 2023(Updated: )
The Locations plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.1. This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to update custom field meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Goldplugins Locations | <4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/
- https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2548546%40locations&new=2548546%40locations&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3df9f237-a861-43fc-8623-d42f84d8d5d1?source=cve
Frequently Asked Questions
What is the vulnerability ID for the Locations plugin in WordPress?
The vulnerability ID for the Locations plugin in WordPress is CVE-2021-4394.
What is the severity of the CVE-2021-4394 vulnerability?
The severity of the CVE-2021-4394 vulnerability is high, with a severity value of 8.8.
Which version of the Locations plugin is affected by the CVE-2021-4394 vulnerability?
Versions up to and including 3.2.1 of the Locations plugin are affected by the CVE-2021-4394 vulnerability.
What is Cross-Site Request Forgery (CSRF)?
Cross-Site Request Forgery (CSRF) is a type of attack where an attacker tricks a victim into performing an unwanted action without their knowledge or consent.
Where can I find more information about the CVE-2021-4394 vulnerability?
You can find more information about the CVE-2021-4394 vulnerability at the following references: [link1], [link2], [link3].
- collector/nvd-index
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/type
- agent/event
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/goldplugins
- canonical/goldplugins locations