WordPress Plugin Vulnerabilities

StaffList < 3.1.6 - Arbitrary Staff Deletion via CSRF

Description

The plugin does not have CSRF check in place when deleting staff members, which could allow attacker to make a logged in admin perform such action and delete arbitrary staff via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
stafflist
Fixed in 3.1.6

References

URL
https://packetstormsecurity.com/files/#166919/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Hassan Khan Yusufzai
Verified
Yes
WPVDB ID
0d728954-2054-453e-958c-935b4493f69c

Timeline

Publicly Published
2022-05-02 (about 3 years ago)
Added
2022-05-03 (about 3 years ago)
Last Updated
2022-05-04 (about 3 years ago)

Other

Published
Title
Published
2023-12-27
Title
Paid Member Subscriptions < 2.10.5 - Cross-Site Request Forgery via ajax_add_log_entry
Published
2025-04-11
Title
Webcraftic Clearfy – WordPress optimization plugin < 2.3.3 - Cross-Site Request Forgery to Plugin Settings Update via 'setup-wbcr_clearfy'
Published
2023-02-08
Title
ColorWay <= 4.2.3 - Cross-Site Request Forgery
Published
2023-02-06
Title
A2 Optimized WP < 3.0.5 - Data Collection Toggle via CSRF
Published
2023-06-13
Title
WordPress Contact Forms by Cimatti < 1.5.8 - Cross-Site Request Forgery