- Published on
-
Nov 02, 2022
- Research Description
-
a3 Portfolio [a3-portfolio] < 3.1.1
a3 Lazy Load <= 2.6.0 - Cross-Site Request Forgery to Settings Reset
The following plugins for WordPress are vulnerable to Cross-Site Request Forgery:
a3 Lazy Load (<= 2.6.0), Contact Us Page – Contact People (<= 3.6.1), a3 Portfolio (<= 3.0.1), Dynamic Product Gallery for WooCommerce (3.0.1), a3 Responsive Slider (<= 2.2.0), Compare Products for WooCommerce (<= 2.8.2), Products Quick View for WooCommerce (<= 2.0.1), Product Sort and Display for WooCommerce (<= 2.2.2), Product Widget Slider for WooCommerce (), WP Email Template (<= 2.6.2).
This is due to missing nonce validation on the reset_settings() function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
Min -, max 3.1.1.
Plugin Security Certification
Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Get Plugin Security Certificate
| New vulnerability |
|
Redis Object Cache
, Sep 17, 2025
|
|
Zakra
(CVE-2025-8595)
, Sep 15, 2025
|
|
PDF Embedder
, Sep 11, 2025
|
|
Pixeline's Email Protector
(CVE-2025-58982)
, Sep 11, 2025
|
|
Include Me
(CVE-2025-58983)
, Sep 11, 2025
|