Osiris Signature Banner
Monthly
Cross-Site Request Forgery in the Osiris Signature Banner WordPress plugin (all versions ≤ 0.5) enables unauthenticated attackers to update plugin settings and inject stored XSS payloads by tricking an authenticated administrator into triggering a forged request. Missing nonce validation across at least four functions (lines 107, 118, 139, and 189 of osiris-signature-banner.php) means any forged cross-origin form submission executed in an active admin session bypasses all server-side origin checks. No public exploit identified at time of analysis and no KEV listing is present, but the stored XSS secondary impact elevates real-world risk above a typical CSRF-only finding.
Cross-Site Request Forgery in the Osiris Signature Banner WordPress plugin (all versions ≤ 0.5) enables unauthenticated attackers to update plugin settings and inject stored XSS payloads by tricking an authenticated administrator into triggering a forged request. Missing nonce validation across at least four functions (lines 107, 118, 139, and 189 of osiris-signature-banner.php) means any forged cross-origin form submission executed in an active admin session bypasses all server-side origin checks. No public exploit identified at time of analysis and no KEV listing is present, but the stored XSS secondary impact elevates real-world risk above a typical CSRF-only finding.