WordPress Plugin Vulnerabilities

Counter Box < 1.2.4 - Counter Deletion via CSRF

Description

The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such deleting counters via CSRF attacks

Proof of Concept

Affects Plugins

Plugin icon
counter-box
Fixed in 1.2.4

References

CVE
CVE-2024-3481

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Submitter twitter
bobmatyas
Verified
Yes
WPVDB ID
0c441293-e7f9-4634-8f3a-09925cd2b696

Timeline

Publicly Published
2024-04-11 (about 1 year ago)
Added
2024-04-11 (about 1 year ago)
Last Updated
2024-04-11 (about 1 year ago)

Other

Published
Title
Published
2024-09-30
Title
CartBounty – Save and recover abandoned carts for WooCommerce < 8.2.1 - Cross-Site Request Forgery
Published
2025-10-24
Title
FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) < 1.1.23.1 - Cross-Site Request Forgery to Sync Rule Creation
Published
2021-08-18
Title
Jock on air now < 5.6.2 - Arbitrary Plugin's Settings Update via CSRF
Published
2023-11-14
Title
LayerSlider < 7.7.10 - Cross-Site Request Forgery
Published
2024-04-12
Title
Asgaros Forum < 2.9.0 - Cross-Site Request Forgery