Login Sign Up

CVE-2023-31086

8.8 HIGH
CSRF

📋 TL;DR

This CSRF vulnerability in the Simple Giveaways WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. Attackers can create malicious requests that execute when an admin visits a compromised page, potentially modifying plugin settings or contest data. WordPress sites using Simple Giveaways plugin version 2.46.0 or earlier are affected.

💻 Affected Systems

Products:
  • WordPress Simple Giveaways plugin
Versions: <= 2.46.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WordPress installations with the Simple Giveaways plugin installed and activated.

📦 What is this software?

Simple Giveaways by Ibenic

View all CVEs affecting Simple Giveaways →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify giveaway settings, manipulate contest data, or potentially chain with other vulnerabilities to gain administrative access to the WordPress site.

🟠

Likely Case

Attackers modify giveaway configurations, manipulate contest entries, or change plugin settings without admin consent.

🟢

If Mitigated

With proper CSRF protections and user awareness, impact is limited to failed exploitation attempts with no data compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking an authenticated admin to click a malicious link or visit a compromised page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.46.1 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/giveasap/wordpress-simple-giveaways-plugin-2-45-1-cross-site-request-forgery-csrf-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Simple Giveaways plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the Simple Giveaways plugin until patched

wp plugin deactivate giveasap

CSRF Protection Headers

all

Implement Content Security Policy headers to restrict script execution

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'";

🧯 If You Can't Patch

  • Restrict admin access to trusted networks only
  • Implement strict user awareness training about clicking unknown links

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Simple Giveaways version number

Check Version:

wp plugin get giveasap --field=version

Verify Fix Applied:

Verify plugin version is 2.46.1 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to giveasap admin endpoints
  • Multiple failed CSRF token validations

Network Indicators:

  • External requests to giveasap admin endpoints without referrer headers

SIEM Query:

source="wordpress.log" AND "giveasap" AND "admin-ajax.php" AND status=200

📊 Metadata

CVE ID: CVE-2023-31086
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: November 9, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31086, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)