PT-2026-41280 · WordPress · Notify Odoo
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Notify Odoo versions prior to 1.0.2
Description
The Notify Odoo plugin for WordPress contains a Cross-Site Request Forgery (CSRF) flaw. This occurs because the
updateSettings() function lacks proper nonce validation. A nonce (number used once) is a unique token used to verify that a request was intentionally sent by the user. Consequently, unauthenticated attackers can trick a site administrator into clicking a link to execute a forged request. This allows the attacker to change the Notify Odoo URL to one they control and modify settings related to notifications, tracking images, and allowed IP addresses.Recommendations
Update the plugin to a version later than 1.0.1.
As a temporary workaround, restrict access to the
updateSettings() function to minimize the risk of exploitation.Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Notify Odoo