08 Feb

Vulnerability Details: Authenticated Settings Change in Launcher

This Vulnerability Details post about a vulnerability in the plugin Launcher provides the details of a vulnerability we didn’t discover and access to it is limited to customers of our service, unlike the posts on vulnerabilities we have discovered, which are freely available and give you an idea of what information is provided in the [Read more]

16 Oct

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Settings Change Vulnerability in Facebook Like Box

This Vulnerability Details post about a vulnerability in the plugin Facebook Like Box provides the details of a vulnerability we didn’t discover and access to it is limited to customers of our service, unlike the posts on vulnerabilities we have discovered, which are freely available and give you an idea of what information is provided [Read more]

19 Jul

Cross-Site Request Forgery (CSRF)/Settings Change Vulnerability in Share Buttons by AddThis

We recently found that the plugin Share Buttons by AddThis had a cross-site request forgery (CSRF)/settings change vulnerability. When setting the plugin’s settings by clicking the Save Options button on the plugin’s settings page proper protection against CSRF exist, but it doesn’t for an alternate method when the plugin is set be controlled from “AddThis.com”. When [Read more]

27 Jun

Cross-Site Request Forgery (CSRF)/Settings Change Vulnerability in Salon booking system

Recently while looking into something else we noticed the plugin Salon booking system has a cross-site request forgery (CSRF) vulnerability in its code to save the plugin’s settings, which could be used to change the PayPal account that payments through the plugin are sent. The issue is due to the code that handle saving changes [Read more]