Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function

Summary

CVE	CVE-2023-3977
State	PUBLISHED
Assigner	Wordfence
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-07-28 05:15:11 UTC
Updated	2026-04-08 19:18:27 UTC
Description	Several plugins for WordPress by Inisev are vulnerable to Cross-Site Request Forgery to unauthorized installation of plugins due to a missing nonce check on the handle_installation function that is called via the inisev_installation AJAX aciton in various versions. This makes it possible for unauthenticated attackers to install plugins from the limited list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Risk And Classification

Primary CVSS: v3.1 4.3 MEDIUM from [email protected]

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS: 0.004490000 probability, percentile 0.636150000 (date 2026-04-09)

Problem Types: CWE-352 | CWE-352 CWE-352 Cross-Site Request Forgery (CSRF)

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	4.3	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N`
3.1	[email protected]	Secondary	4.3	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N`
3.1	CNA	DECLARED	4.3	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N`

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Backupbliss	Backup Migration	All	All	All	All
Application	Backupbliss	Clone	All	All	All	All
Application	Copy-delete-posts	Duplicate Post	All	All	All	All
Application	Inisev	Enhanced Text Widget	All	All	All	All
Application	Inisev	Redirection	All	All	All	All
Application	Inisev	Rss Redirect Feedburner Alternative	All	All	All	All
Application	Inisev	Ssl Mixed Content Fix	All	All	All	All
Application	Inisev	Ultimate Posts Widget	All	All	All	All
Application	Mypopups	Pop-up	All	All	All	All
Application	Ultimatelysocial	Social Media Share Buttons Social Sharing Icons	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Inisev	Redirection	affected 1.1.3 semver	Not specified
CNA	Inisev	Pop-up	affected 1.1.9 semver	Not specified
CNA	Inisev	BackupBliss Backup Migration With Free Cloud Storage	affected 1.2.7 semver	Not specified
CNA	Inisev	Duplicate Post	affected 1.3.9 semver	Not specified
CNA	Cl272	Enhanced Text Widget	affected 1.5.7 semver	Not specified
CNA	Cl272	Ultimate Posts Widget	affected 2.2.4 semver	Not specified
CNA	Migrate	Clone	affected 2.3.7 semver	Not specified
CNA	Inisev	Social Media Share Buttons Social Sharing Icons	affected 2.8.1 semver	Not specified
CNA	Steve85b	SSL Mixed Content Fix	affected 3.2.3 semver	Not specified
CNA	Inisev	Social Share Icons Social Share Buttons	affected 3.5.7 semver	Not specified
CNA	S-feeds	RSS Redirect Feedburner Alternative	affected 3.7 semver	Not specified

References

Reference	Source	Link	Tags
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Patch
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Patch
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Patch
Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function	af854a3a-2127-422b-91ae-364da2661108	www.wordfence.com	Third Party Advisory
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Patch
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Exploit
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Chloe Chamberland (en)

Additional Advisory Data

Source	Time	Event
CNA	2023-02-22T00:00:00.000Z	Discovered
CNA	2023-02-22T00:00:00.000Z	Vendor Notified
CNA	2023-07-27T00:00:00.000Z	Disclosed

There are currently no legacy QID mappings associated with this CVE.