CVE-2023-4729

CVSS 3.1 Score 4.3 of 10 (medium)

Details

Published Mar 12, 2024

Summary

CVE-2023-4729 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the LadiApp plugin for WordPress. The issue resides in the publish_lp() function, which lacks a necessary nonce check when called via an AJAX action. Unauthenticated attackers can exploit this flaw to modify the LadiPage key, giving them the ability to create new pages on vulnerable sites. This includes malicious pages containing stored XSS payloads, which can be triggered if a site administrator is coerced into executing a specific action, such as clicking on a crafted link. The vulnerability exists in versions up to and including 4.4 of the LadiApp plugin.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/siJ6pl
https://www.cve.org/CVERecord?id=CVE-2023-4729
https://nvd.nist.gov/vuln/detail/CVE-2023-4729

Back to Vulnerability Database

CVE-2023-4729

CVSS 3.1 Score 4.3 of 10 (medium)

Details

Summary

Advisories, Assessments, and Mitigations