Portfolio Filter Gallery < 1.1.3 – CSRF & Reflected XSS

February 4, 2020
portfolio-filter-gallery-1-1-3-csrf-reflected-xss Portfolio Filter Gallery < 1.1.3 – CSRF & Reflected XSS
Lack of CSRF checks on the Filters page could allow attackers to add/edit/update/delete categories and delete all categories, as well as perform reflected XSS attacks. v1.0.8 fixed the reflected XSS, however no CSRF check on delete and delete_all_category actions v1.1.0 released, no additional fix v1.1.1 released, no additional fix January 3rd, 2020 - Vendor contacted about lack of CSRF checks January 4th, 2020 - Vendor Acknowledgment January 7th, 2020 - v1.1.2 Released, no fix January 14th, 2020 - Vendor contacted for updates. Responded that the plugin will be updated after "2 days holidays" (whatever that means) January 22nd, 2020 - Still no updates, escalated to WP plugin team. January 27th, 2020. v1.1.3 released, fixing the remaining CSRF issues. Capability checks are missing from AJAX calls though, but I give up on this one.


Share this article:

eHost managed wordpress hosting

We’re listening.

Have something to say about this article? Share it with us on Facebook, Twitter or LinkedIn:


Related Posts

How to make a WordPress website

How to make a WordPress website

Have you always wanted to create your own website? WordPress is the way to go! Whether you want to create your own personal blog, an online store, or a business website – with WordPress, creating your own website is easy as pie. If you know what you’re doing, of...

Get ALL Your SEO, WordPress & Divi News

Join Our Daily Roundup

SEO News and More

SEO News and More

Subscribe ToThe Weekly SEO Trade News Updates

Get the latest SEO, SEM and SMM marketing intel, tips and tricks from one of the best SEO Gurus online. 

Every Tuesday morning we send out an aggregated email listing all new posts on SEO Trade News.

Excellent! Now check your email to confirm your subscription.