CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
What the vulnerability does
The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncff_add_plugin_page() function which handles settings updates. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Explanation of Vulnerability in Simple Terms
The Neos Connector for Fakturama contains a cross-site request forgery (CSRF) vulnerability that allows an attacker to perform unwanted actions on behalf of a logged-in user. The vulnerability affects versions 0.0.14 and earlier. An attacker must trick a user into visiting a malicious webpage while the user is authenticated to the connector. The impact is limited to data modification; no data disclosure or service disruption occurs.
What an attacker can do
Perform unwanted actions (like modifying data) on behalf of a logged-in user without their knowledge.
Potential impact on your site
Users' authenticated sessions can be abused to modify connector settings or data if they visit untrusted sites.
Conditions required to exploit
User must be logged in and visit an attacker-controlled webpage while authenticated.
Key dates
External resources
Related vulnerabilities
