cleantalk
Vulnerabilities and Security Researches

a3 Portfolio, d1b0f784da3ca0f399c542515fda1423816819f0

CVE, Research URL

d1b0f784da3ca0f399c542515fda1423816819f0

Home page URL

Security reports for a3 Portfolio

Application

a3 Portfolio

Published on
Nov 02, 2022
Research Description
a3 Portfolio [a3-portfolio] < 3.1.1 a3 Lazy Load <= 2.6.0 - Cross-Site Request Forgery to Settings Reset The following plugins for WordPress are vulnerable to Cross-Site Request Forgery: a3 Lazy Load (<= 2.6.0), Contact Us Page – Contact People (<= 3.6.1), a3 Portfolio (<= 3.0.1), Dynamic Product Gallery for WooCommerce (3.0.1), a3 Responsive Slider (<= 2.2.0), Compare Products for WooCommerce (<= 2.8.2), Products Quick View for WooCommerce (<= 2.0.1), Product Sort and Display for WooCommerce (<= 2.2.2), Product Widget Slider for WooCommerce (), WP Email Template (<= 2.6.2). This is due to missing nonce validation on the reset_settings() function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
Min -, max 3.1.1.
Status
vulnerable
Previous vulnerability researches
Contact Us Page &#8211; Contact People (CVE-2025-28967) , Jul 07, 2025
Contact Us Page &#8211; Contact People (CVE-2025-5123) , Jun 15, 2025
Contact Us Page &#8211; Contact People (CVE-2023-23973) , Jun 07, 2024
Contact Us Page &#8211; Contact People (d1b0f784da3ca0f399c542515fda1423816819f0) , Jun 07, 2024
New vulnerability
Gallery Widget (CVE-2025-28969) , Jul 08, 2025
Contact Us Page &#8211; Contact People (CVE-2025-28967) , Jul 07, 2025
WP fancybox (CVE-2025-26591) , Jul 07, 2025
Click &amp; Pledge Connect Plugin (CVE-2025-28983) , Jul 07, 2025
Posts Slider Shortcode (CVE-2025-30943) , Jul 07, 2025