Cross Site Request Forgery (CSRF) vulnerability in SVGator Plugin

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author SVGator

    (@svgator)

    Hi there,

    First of all thanks for letting us know!

    We just reached out PatchStack for further details, yet after giving the plugin a deeper look we have arrived at the conclusion that this is a false-positive alert (due to the reasons detailed below).

    • to attach & authorize an SVGator account to the WordPress plugin the request must be originated from app.svgator.com domain (so it’s not enough to get malicious code running on the wordpress installation itself)
    • In the current setup only administrators can access the SVGator plugin yet one admin can revoke other admin’s rights directly from the UI

    Despite the fact that we strongly believe there is no actual risks, we are planning an update to address the theoretical issue as well as making PatchStack’s mVDP part of the process.

    We will keep You updated!

    Best,

    • Lorand.

    Plugin Author SVGator

    (@svgator)

    Hi Simon,

    Here’s an update as promised – despite this was a false-positive notice, we just released a patch in version 1.2.5. (as it also figures on PatchStack), so please just upgrade Your plugin to its latest version.

    Thanks again for reaching out!

    Best Regards,

    • Lorand.
    Thread Starter simonclay

    (@simonclay)

    Very much appreciated, thank you.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Cross Site Request Forgery (CSRF) vulnerability in SVGator Plugin’ is closed to new replies.