The plugin does not have CSRF check in the action_authenticate_storage, which could allow attackers to make logged in admins inject JavaScript into a parameter in the authentication process via a CSRF attack when they can trick an admin to perform multiple actions including re-authenticating a connection to a storage.
CPE | Name | Operator | Version |
---|---|---|---|
updraftplus | lt | 1.23.4 |