PT-2022-11827 · WordPress · Crisp Live Chat

José Aguilera

Published

2022-01-18

Updated

2022-01-24

CVE-2021-43353

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Crisp Live Chat WordPress plugin versions up to, and including 0.31

Description The issue is related to Cross-Site Request Forgery due to missing nonce validation via the crisp plugin settings page function found in the ~/crisp.php file. This made it possible for attackers to inject arbitrary web scripts.

Recommendations For versions up to, and including 0.31, update to a version that includes the necessary nonce validation to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider disabling the crisp plugin settings page function until a patch is available.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2021-43353

Affected Products

Crisp Live Chat

PT-2022-11827 · WordPress · Crisp Live Chat

CVE-2021-43353

Weakness Enumeration

Related Identifiers

Affected Products

References · 6