CVE-2018-11632

MEDIUM

Add Social Share Messenger Buttons Whatsapp and Viber 1.0.8 - Cross-Site Request Forgery via Admin-Post Handler

Title source: llm
STIX 2.1

Description

An issue was discovered in the MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin 1.0.8 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings via wp-admin/admin-post.php CSRF. There's no nonce or capability check in the whatsapp_share_setting_add_update() function.

Scores

CVSS v3 6.5
EPSS 0.0054
EPSS Percentile 41.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-352
Status published
Products (1)
multidots/add_social_share_messenger_buttons_whatsapp_and_viber 1.0.8
Published May 31, 2018
Tracked Since Feb 18, 2026