Live Forms <= 4.8.5 – Entry Deletion via CSRF

Description

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

Proof of Concept

Have an admin open a link like:

`https://example.com/wp-admin/admin-ajax.php?action=wplf_delete_entry&entry=1`

The `entry` parameter can be changed and the corresponding form submission will be deleted.

Affects Plugins

liveforms

No known fix

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

CVSS

4.3 (medium)

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

bobmatyas

Verified

Yes

WPVDB ID

045b8974-28e4-493a-b175-5bd21208575b

Timeline

Publicly Published

2025-04-15 (about 11 months ago)

Added

2025-04-15 (about 11 months ago)

Last Updated

2025-04-15 (about 11 months ago)

Other

Published

Title

Published

2025-02-13

Title

RSS Filter <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2023-09-27

Title

Mang Board WP < 1.8.2 - Settings Update via CSRF

Published

2025-12-05

Title

WP Landing Page <= 0.9.3 - Cross-Site Request Forgery to Arbitrary Post Meta Update

Published

2019-07-16

Title

Ultra Simple Paypal Shopping Cart <= 4.4 - Cross-Site Request Forgery (CSRF)

Published

2023-11-13

Title

Contact Forms by Cimatti < 1.6.1 - CSRF