WordPress LWS Tools Plugin <= 2.3.1 is vulnerable to Cross Site Request Forgery (CSRF)
This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account.
Update the WordPress LWS Tools plugin to the latest available version (at least 2.4).
- 04 February 2023: Reported to Patchstack
- 06 February 2023: Vulnerability validated
- 02 March 2023: Vulnerability fixed
- 02 March 2023: Vulnerability disclosed