11 Dirty CSRF MAR 2022 | Cross-Site Request Forgery MAR 2022

CSRF MAR 2022 – Cross-Site Request Forgery MAR 2022

Managed WP/Woo Security Report

Be informed about the latest Cross-Site Request Forgery MAR 2022, identified and reported publicly. As these CSRF MAR 2022 vulnerabilities have a severe negative impact on any WordPress Security, consider our security audit.

An estimated 316.000+ active WordPress installations are susceptible to this attack type, considering only the publicly available numbers. It is a significant -35% decrease compared to last month. The estimated number can increase by 5-10% with premium versions as they are private purchases.

Furthermore, the initial estimation can triple if we consider the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind protected areas, possibly exposing other clean WP to different attack types.

• Simple Membership – Arbitrary Member Deletion via CSRF
• Simple Membership – Arbitrary Transaction Deletion via Cross-Site Request Forgery (CSRF)
  • The simple membership plugin lets you protect your posts and pages so only your members can view the protected content. Active installations: 50,000 +

---

• Post Snippets – CSRF to Stored Cross-Site Scripting (XSS)
  • This plugin lets you build a library with snippets of HTML, PHP code or reoccurring text that you often use in your posts and pages. You can use predefined variables to replace parts of the snippet on insert. All snippets are available in the post editor via a button in the Visual mode. Active installations: 30,000 +

---

• Maps Plugin using Google Maps for WordPress – WP Google Map – Arbitrary Post Deletion and Plugin’s Settings Update via CSRF
  • WP Google Map is an awesome plugin to use when adding a custom Google map to your website. It is fully customizable and can be used as shortcode. Active installations: 20,000+

---

• Logo Showcase with Slick Slider – Logo Carousel, Logo Slider & Logo Grid – Arbitrary Media Title/Description/Alt Text/URL Update via CSRF
  • Using Logo Showcase with Slick Slider plugin creating a carousel slider of logos like client logo slider, partners logo slider, sponsor logo slider is super easy with help of logo gallery, drag and drop order change and user friendly settings. Active installations: 3,000+

---

• Pricing Tables WordPress Plugin – Easy Pricing Tables –
  Arbitrary Post Removal via Cross-Site Request Forgery (CSRF)
  • The Easy Pricing Tables WordPress Plugin makes it easy to create and publish beautiful pricing tables and comparison tables on your WordPress site. You can build, customize and publish a pricing table in just a few minutes, straight from the post editor, with zero coding required. Active installations: 20,000 +

---

• Spiffy Calendar – Edit/Delete event via IDOR
• Spiffy Calendar – Reflected Cross-Site Scripting (XSS)
• Spiffy Calendar –
  Event deletion via Cross-Site Request Forgery (CSRF)

• Spiffy Calendar – Multiple Authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities
• Spiffy Calendar – Persistent Cross-Site Scripting (XSS)
  • Manage and display your events in a responsive calendar with multiple views, widgets and shortcodes. Color-coded categories and recurrence support. The premium Bonus Add-Ons supplements the plugin with additional themes, customizer support, ICS export, front end submit, CSV import/export and custom fields. Active installations: 4,000+

---

• Powerkit – Supercharge your WordPress Site – Post Views Settings Update/Reset via Cross-Site Request Forgery (CSRF)
  • We’ve been developing premium WordPress themes for a few years and have always been lacking essentials things in the WordPress core. Active installations: 10,000+

---

• WP Content Copy Protection & No Right Click – Cross-Site Request Forgery (CSRF) leads to Settings Update
  • This wp plugin protect the posts content from being copied by any other web site author , you dont want your content to spread without your permission!! Active installations: 100,000+

---

• Simple Quotation – Quote Creation/Edition via CSRF
• Simple Quotation – CSRF leading to Stored Cross-Site Scripting (XSS)
  • This plugin has been closed as of January 7, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Hide Admin Bar Based on User Roles – Settings Update
• Hide Admin Bar Based on User Roles – Settings Update via Cross-Site Request Forgery (CSRF)
  • This plugin is very useful to hide admin bar based on selected user roles and user capabilities. Active installations: 20,000+

---

• WP-Matomo Integration (WP-Piwik) – Plugin Settings Reset via CSRF
  • This plugin uses the Matomo API to show your Matomo statistics in your WordPress dashboard. It’s also able to add the Matomo tracking code to your blog and to do some modifications to the tracking code. Additionally, WP-Matomo supports WordPress networks and manages multiple sites and their tracking codes. Active installations: 60,000+

---

BRIEF: Cross-Site Request Forgery MAR 2022 is a type of malicious exploit of a website where unauthorised commands are submitted from a user that the web application trusts. Cross-site request forgery is also known as one-click attack, session riding, CSRF, XSRF, Sea Surf, Session Riding, Cross-Site Reference Forgery, or Hostile Linking.

What is Cross-Site Request Forgery MAR 2022?

Cross-site request forgery (also known as CSRF) is a web Security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same-origin policy, which is designed to prevent different websites from interfering with each other. Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state-changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

What is the impact of a CSRF MAR 2022 attack?

In a successful CSRF attack, the attacker causes the victim user to act unintentionally. Example: this might be to change the email address on their account, to change their password, or to make a funds transfer. Depending on the nature of the action, the attacker might be able to gain full control over the user’s account. If the compromised user has a privileged role within the application, then the attacker might be able to take full control of all the application’s data and functionality.

 

MANAGED WP/Woo Security: CSRF MAR 2022 | Cross-Site Request Forgery MAR 2022 Related Posts