CVE-2023-36682 – This CSRF vulnerability in the Schema Pro WordP... (How to Fix)

Q: What is the severity of CVE-2023-36682?

CVE-2023-36682 has a CVSS score of 7.1 (HIGH). This CSRF vulnerability in the Schema Pro WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. It affects all Schema Pro plugin versions up to 2.7.7. WordPress sites using vulnerable versions are at risk.

📋 TL;DR

This CSRF vulnerability in the Schema Pro WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. It affects all Schema Pro plugin versions up to 2.7.7. WordPress sites using vulnerable versions are at risk.

💻 Affected Systems

Products:

Schema Pro WordPress Plugin

Versions: All versions up to and including 2.7.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Schema Pro plugin enabled. Attack requires authenticated administrator session.

📦 What is this software?

Schema by Brainstormforce

View all CVEs affecting Schema →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify plugin settings, inject malicious code, or perform administrative actions leading to site compromise or data manipulation.

🟠

Likely Case

Attackers could change schema markup settings, potentially affecting SEO or injecting unwanted content into pages.

🟢

If Mitigated

With proper CSRF protections or updated plugin, no unauthorized actions can be performed via forged requests.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks typically require social engineering to trick authenticated users. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.8 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/wp-schema-pro/wordpress-schema-pro-plugin-2-7-7-cross-site-request-forgery-csrf-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Schema Pro and click 'Update Now'. 4. Verify version is 2.7.8 or higher.

🔧 Temporary Workarounds

Disable Schema Pro Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate wp-schema-pro

Implement CSRF Protection Headers

linux

Add security headers to WordPress installation

Add to .htaccess: Header set X-Frame-Options "SAMEORIGIN"
Add to .htaccess: Header set Content-Security-Policy "frame-ancestors 'self'"

🧯 If You Can't Patch

Restrict administrative access to trusted networks only
Implement strict SameSite cookie policies and use anti-CSRF tokens

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Schema Pro version. If version is 2.7.7 or lower, vulnerable.

Check Version:

wp plugin get wp-schema-pro --field=version

Verify Fix Applied:

Verify Schema Pro version is 2.7.8 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to schema-pro admin endpoints from unexpected referrers
Unauthorized changes to schema settings in plugin logs

Network Indicators:

HTTP requests with forged referrer headers targeting /wp-admin/admin-ajax.php?action=schema-pro endpoints

SIEM Query:

source="wordpress.logs" AND (uri_path="/wp-admin/admin-ajax.php" AND query_string="*schema-pro*") AND referrer NOT CONTAINS "your-domain.com"

📊 Metadata

CVE ID: CVE-2023-36682

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

CWE: CWE-352

Published: November 30, 2023

Last Updated: June 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36682, you might also want to check these: