Attackers could then access or modify the settings of the plugin, such as disabling the setting to require a password to login or enable login via email address. When WordPress is updated, often via automatic plugin update, the settings of the plugin are changed without the knowledge of the plugin user. With this issue, an attacker could make a logged in admin change the settings of the plugin through a CSRF attack. This issue was fixed in the 1.0.6 and later releases of the plugin. Update your plugins when recommended.
WordPress does not have CSRF protection in place, which could allow attackers to make a logged in admin change them via a CSRF attack. Attackers could make a logged in admin change the settings of the plugin, such as disabling the setting to require a password to login or enable login via email address. When WordPress is updated, often via automatic plugin update, the settings of the plugin are changed without the knowledge of the plugin user. With this issue, an attacker could make a logged in admin change the settings of the plugin through a CSRF attack. This issue was fixed in the 1.0.6 and later releases of the plugin. Update your plugins when recommended.
Plugin Name: NoAuth White Screen
The vulnerability exists when a logged in admin changes the settings of the plugin through a CSRF attack.
WordPress does not have CSRF protection in place, which could allow attackers to make a logged in admin change them via a CSRF attack. Attackers could make a logged in admin change the settings of the plugin, such as disabling the setting to require a password to login or enabling login via email address. When WordPress is updated, often via automatic plugin update, the settings of the plugin are changed without the knowledge of the plugin user. With this issue, an attacker could make a logged in admin change the settings of the plugin through a CSRF attack. This issue was fixed in the 1.0.6 and later releases of the plugin. Update your plugins when recommended.
Timeline
Published on: 09/26/2022 13:15:00 UTC
Last modified on: 09/27/2022 04:44:00 UTC