Cross-Site Request Forgery Vulnerability in PowerPack Addons for Elementor Plugin

Cross-Site Request Forgery Vulnerability in PowerPack Addons for Elementor Plugin

CVE-2023-6984 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

The PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.13. This is due to missing or incorrect nonce validation in the powerpack-lite-for-elementor/classes/class-pp-admin-settings.php file. This makes it possible for unauthenticated attackers to modify and reset plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Learn more about our Wordpress Pen Testing.