Subscribe2 < 10.38 – User Deletion via CSRF | CVE 2022-4309 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when deleting users, which could allow attackers to make a logged in admin delete arbitrary users by knowing their email via a CSRF attack.

Note: Attackers won't be able to delete the user making the CSRF request.

Proof of Concept

Make a logged-in admin open the below URL to delete the user with the user@domain.com address:

https://example.com/wp-admin/admin.php?page=s2_tools&tab=registered&action=delete&paged=1&subscriber%5B%5D=user@domain.com&action2=delete

Affects Plugins

Fixed in 10.38

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

1965f53d-c94e-4322-9059-49de69df1051

Timeline

Publicly Published

2022-12-22 (about 3 years ago)

Added

2022-12-22 (about 3 years ago)

Last Updated

2022-12-22 (about 3 years ago)

Other

Published

Title

Published

2024-04-25

Title

Serious Slider < 1.2.5 - Cross-Site Request Forgery

Published

2025-01-16

Title

RSS News Scroller <= 2.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2021-03-01

Title

ElasticPress < 3.5.4 - Cross-Site Request Forgery

Published

2014-08-01

Title

XCloner - Backup and Restore < 3.1.1 - Multiple Actions CSRF

Published

2016-04-12

Title

WordPress <= 4.4.2 - Script Compression Option CSRF