WordPress Plugin Vulnerabilities

WP Inventory Manager < 2.1.0.14 - Inventory Items Deletion via CSRF

Description

The plugin does not have CSRF checks, which could allow attackers to make logged-in admins delete Inventory Items via a CSRF attack

Proof of Concept

Send a payload to logged-in admins with a request to http://127.0.0.1/wordpress/wp-admin/admin.php?page=wpim_manage_inventory_items&action=delete&delete_id=2

Affects Plugins

Plugin icon
wp-inventory-manager
Fixed in 2.1.0.14

References

CVE
CVE-2023-2842

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
NGO VAN TU
Submitter
NGO VAN TU
Verified
Yes
WPVDB ID
0357ecc7-56f5-4843-a928-bf2d3ce75596

Timeline

Publicly Published
2023-06-05 (about 11 months ago)
Added
2023-06-05 (about 11 months ago)
Last Updated
2023-06-05 (about 11 months ago)

Other

Published
Title
Published
2024-05-09
Title
Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms < 1.2.1 - Cross-Site Request Forgery
Published
2023-09-11
Title
Checkout Field Editor (Premium) < 1.7.5 - Cross-Site Request Forgery
Published
2023-10-06
Title
Laposta Signup Basic < 1.4.2 - CSRF
Published
2019-06-18
Title
Facebook for WooCommerce < 1.9.15 - CSRF allowing Option Update
Published
2022-05-23
Title
Sideblog <= 6.0 - Arbitrary Settings Update via CSRF to Stored XSS