Cross-site Request Forgery (CSRF) in Add Social Share Messenger Buttons Whatsapp and Viber plugin <= 1.0.8

This plugin is vulnerable to a Cross-site request forgery (CSRF) vulnerability. Admin user can be tricked to visit a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings. There’s no nonce or role check in whatsapp_share_setting_add_update() function.

Proof Of Concept:

Leave a Reply

Your email address will not be published. Required fields are marked *