CVE-2023-6499: lasTunes <= 3.6.1 - Settings Update via CSRF
First published: Mon Feb 12 2024(Updated: )
The lasTunes WordPress plugin through 3.6.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WordPress | <=3.6.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2023-6499?
CVE-2023-6499 has been classified as a medium severity vulnerability due to its potential for Cross-Site Scripting via CSRF attacks.
How do I fix CVE-2023-6499?
To fix CVE-2023-6499, update the lasTunes WordPress plugin to the latest version that includes CSRF protections and proper input sanitization.
Who is affected by CVE-2023-6499?
Users of the lasTunes WordPress plugin versions up to and including 3.6.1 are affected by CVE-2023-6499.
What types of attacks can CVE-2023-6499 enable?
CVE-2023-6499 could enable attackers to perform Cross-Site Scripting (XSS) attacks through CSRF, allowing them to inject malicious scripts.
Is there a workaround for CVE-2023-6499?
Until the plugin is updated, a viable workaround for CVE-2023-6499 is to disable the lasTunes plugin or restrict access to trusted users only.
- agent/references
- agent/author
- agent/title
- agent/type
- agent/description
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/event
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/calenfretts
- canonical/wordpress
- version/wordpress/3.6.1