Twenty five plugins for WordPress were found to be vulnerable to cross-site request forgery (CSRF) attacks.

What is a CSRF attack?

In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user’s account.

The impact of these vulnerabilities may vary from low to high severity, leading to, for example, XSS (stored or reflected), changes in settings, configuration import and modification of data in the database, among other issues.

Below is a list of vulnerable plugins that have been fixed by their authors. These are not sorted in any particular order.

  1. Cartflows: It has over 100,000+ active installations. And the vulnerable version: 1.5.15 and below.
  2. Paid Memberships Pro : It has 100,000+ installations. And the vulnerable version: 2.4.2 and below.
  3. Cool Timeline: It has 10,000+ installations. And the vulnerable version: 2.0.2 and below.
  4. Custom Field Template: It has 70,000+ installations. And the vulnerable version: 2.5.1 and below.
  5. eCommerce Product Catalog Plugin: It has more than 10,000+ active installs. And the vulnerable version: 2.9.43 and below.
  6. NotificationX: It has more than 10,000+ installations. And the vulnerable version: 1.8.2 and below.
  7. Product Catalog X: It has more than 1,000+ installations. And the vulnerable version: 1.5.12 and below.
  8. Coupon Creator: It has 10,000+ installations. And the vulnerable version: 3.1 and below.
  9. Radio Buttons for Taxonomies: It has 10,000+ installations. And the vulnerable version: 2.0.5 and below.
  10. Menu Swapper: It has over 7,000+ installations. And the vulnerable version: 1.1.0.2 and below.
  11. Forminator: It has over 70,000+ installations. And the vulnerable version: 1.13.4 and below.
  12. Coming Soon & Maintenance Mode Page: It has more than 20,000+ installations. And in vulnerable version: 1.57 and below.
  13. Woody ad snippets: It has 80,000+ installations. And vulnerable version: 2.3.9 and below.
  14. Feed Them Social: It has 80,000+ installations. And the vulnerable version: 2.8.6 and below.
  15. Import / Export Customizer Settings: It has over 50,000+ installations. And the vulnerable version: 1.0.3 and below.
  16. Easy Testimonials: It has more than 30,000+ installations. And vulnerable version: 3.6.1 and below.
  17. RSS Aggregator by Feedzy: It has over 40,000+ installations. And the vulnerable version: 3.4.2 and below.
  18. Top 10 – Popular posts plugin for WordPress: It has more than 30,000+ installations. And the vulnerable version: 2.9.4 and below.
  19. Dokan: It has over 50,000+ installations. And the vulnerable version: 3.0.8 and below.
  20. Lightweight Sidebar Manager has over 50,000+ installations. And the vulnerable version: 1.1.4 and below.
  21. WP Hotel Booking has more than 9,000+ active installations. And the vulnerable version: 1.10.1 and below.
  22. WP ERP: It has more than 10,000+ installations. And the vulnerable version: 1.6.3 and below.
  23. Best WooCommerce Multivendor Marketplace Solution: It has more than 9,000+ installations. And the vulnerable version: 3.5.7 and below.
  24. WP Project Manager has more than 10,000+ installations. And the vulnerable version: 2.4.0 and below.
  25. 10WebAnalytics: It has over 10,000+ installations. And the vulnerable version: 1.2.8 and below.

All vulnerabilities were reported to the authors or the WordPress plugins team on August 24th.

Tip

Make sure to update to the latest version if you are running any of the above-mentioned plugins.

You may also like:

5 Best WooCommerce Reporting Plugins

11 Best Backup Plugins for WordPress – Complete List