CVE-2023-1867 in YourChannel Plugin
Summary
by MITRE • 04/05/2023
The YourChannel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on the save function. This makes it possible for unauthenticated attackers to change the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/09/2026
The vulnerability identified as CVE-2023-1867 affects the YourChannel plugin for WordPress, specifically targeting versions up to and including 1.2.4. This represents a critical security flaw that undermines the integrity of the plugin's administrative functions and exposes WordPress sites to potential unauthorized modifications. The vulnerability manifests through insufficient validation mechanisms that should normally protect against malicious requests attempting to alter plugin configurations.
The technical flaw resides in the plugin's save function which fails to implement proper nonce validation. A nonce is a cryptographic value that ensures requests originate from legitimate sources within the WordPress ecosystem. Without this validation mechanism, attackers can craft malicious requests that appear to come from authenticated administrators. This weakness directly maps to CWE-352, which defines Cross-Site Request Forgery vulnerabilities as those that allow attackers to perform actions on behalf of users without their knowledge or consent. The absence of nonce verification creates an exploitable path that bypasses WordPress's built-in security protections designed to prevent unauthorized administrative modifications.
The operational impact of this vulnerability extends beyond simple configuration changes, as it allows unauthenticated attackers to manipulate plugin settings that may affect site functionality, user experience, and potentially expose sensitive data. When an administrator clicks on a malicious link or visits a compromised website, the forged request can execute without their knowledge, leading to unauthorized modifications that could range from changing display settings to more severe configuration alterations that might compromise site security. This vulnerability particularly affects WordPress environments where administrators frequently interact with external links or where social engineering attacks are common, making the exploitation vector highly relevant in real-world scenarios.
The attack vector for this vulnerability requires minimal technical expertise from threat actors, as it relies on social engineering techniques to trick administrators into executing malicious requests. Attackers can embed the forged requests within seemingly legitimate content or use phishing campaigns to direct administrators to malicious sites. According to ATT&CK framework category T1566, this vulnerability enables initial access through social engineering, while the subsequent actions align with T1078 for legitimate credentials usage. Organizations should prioritize immediate remediation through plugin updates to version 1.2.5 or later, which implements proper nonce validation. Additionally, administrators should implement network monitoring to detect suspicious administrative activities and consider implementing additional security measures such as two-factor authentication and role-based access controls to mitigate the potential impact of successful exploitation attempts.