id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc
612	Umstellung der Verlinkung und die dazugehörige Formulare mit Nonces	t.goetzrath	d.schmitzer	"siehe hierzu: https://codex.wordpress.org/WordPress_Nonces 

Grund hierfür: 
During our monitoring of changes made to WordPress plugins in the Plugin Directory we found a cross-site request forgery (CSRF)/arbitrary file upload vulnerability in your wpShopGermany Free plugin.

When uploading files through the page /wp-admin/admin.php?page=wpsg-Admin&subaction=widerrufsbelehrung there is no protection against cross-site request forgery (CSRF), so it would be possible for an attacker to cause someone logged in to WordPress as Administrator to upload files they didn't intend. It looks like the lack of protection against CSRF is an issue with other parts of the plugin as well. Fixing the CSRF issue would take care of this, but if possible it would be a good idea to restrict what types of files can be uploaded as well.

You can find information on preventing cross-site request forgery (CSRF) in WordPress plugins at http://codex.wordpress.org/WordPress_Nonces.

If you have any questions or need help in dealing with this issue, please feel free to get back to us.

Due to our need to inform our customers of vulnerabilities in plugins they may be using in a timely basis, our policy is to disclose a vulnerability no later than 30 days after we have notified the developer of it and 7 days after notifying if we don't receive any response from the developer. So if this is not going to be fixed in the next 7 days please let us know and we will hold back disclosure until after it is fixed or 30 days, whichever comes first.

Plugin Vulnerabilities

"	defect	closed	blocker	4.2	Core	4.0	fixed	Security