vulnerability
WordPress Plugin: stop-referrer-spam: CVE-2023-33207: Cross-Site Request Forgery (CSRF)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:P/A:N) | May 18, 2023 | May 15, 2025 | May 15, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
May 18, 2023
Added
May 15, 2025
Modified
May 15, 2025
Description
The Stop Referrer Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.0. This is due to insufficient nonce validation on the processParameters function. This makes it possible for unauthenticated attackers to refresh the spam blocklist and save custom URLs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The issue was partially patched in version 1.3.0 but because nonce generation does not occur until the first time the admin page is visited, it is possible for an attacker to supply an empty nonce value which will successfully result in settings being saved if the administrator has not yet visited the plugin's admin page.
Solution
stop-referrer-spam-plugin-cve-2023-33207
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.