CVE-2015-5483

Name of the Vulnerable Software and Affected Versions: Private Only plugin version 3.5.1 for WordPress

Description: The issue allows remote attackers to hijack the authentication of administrators for various requests, including adding users, deleting posts, or modifying PHP files. Additionally, it enables cross-site scripting (XSS) attacks via the po logo parameter in the "privateonly.php" page to "wp-admin/options-general.php".

Recommendations: For Private Only plugin version 3.5.1, update to a version that addresses these issues to prevent CSRF and XSS attacks. As a temporary workaround, consider restricting access to the privateonly.php page and the wp-admin/options-general.php endpoint to minimize the risk of exploitation. Avoid using the po logo parameter in the affected API endpoint until the issue is resolved.