The plugin does not have any CSRF checks in place, allowing attackers to make logged in administrators do unwanted actions, such as add/edit/delete arbitrary verses and change the settings. Due to the lack of sanitisation in the settings and verses, this could also lead to Stored Cross-Site Scripting issues
Delete arbitrary Verse: https://example.com/wp-admin/options-general.php?page=verse-o-matic.php&action;=delete&vomID;=1 Stored XSS via settings: XSS via added verse:
CPE | Name | Operator | Version |
---|---|---|---|
verse-o-matic | eq | * |