CVE-2023-6492 MEDIUM

CVE-2023-6492: Simple Sitemap <= 3.5.13 - Cross-Site Request Forgery via admin_notices

Vendor Dgwyer
Product Simple Sitemap – Create a Responsive HTML Sitemap
Weakness CWE-352 · CSRF
Published June 14, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Simple Sitemap – Create a Responsive HTML Sitemap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.13. This is due to missing or incorrect nonce validation in the 'admin_notices' hook found in class-settings.php. This makes it possible for unauthenticated attackers to reset the plugin options to a default state via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Key dates

02Disclosure timeline

June 14, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-53734 WordPress Idealien Category Enhancements plugin <= 1.2 - CSRF to Stored XSS vulnerability CVE-2025-49269 WordPress Market Exporter plugin <= 2.0.22 - Cross Site Request Forgery (CSRF) Vulnerability CVE-2025-23446 WordPress WP SpaceContent plugin <= 0.4.5 - CSRF to Stored Cross Site Scripting (XSS) vulnerability CVE-2024-11641 VikBooking Hotel Booking Engine & PMS <= 1.7.2 - Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload CVE-2024-49628 WordPress Most And Least Read Posts Widget plugin <= 2.5.18 - Cross Site Request Forgery (CSRF) vulnerability