WordPress Plugin Vulnerabilities

Booknetic < 4.1.5 - Staff Creation via CSRF

Description

The plugin does not have CSRF check when creating Staff accounts, which could allow attackers to make logged in admin add arbitrary Staff members via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
booknetic
Fixed in 4.1.5

References

CVE
CVE-2024-13146

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Veshraj Ghimire
Submitter
Veshraj Ghimire
Submitter website
https://veshrajghimire.com.np
Submitter twitter
GhimireVeshraj
Verified
Yes
WPVDB ID
19cb40dd-53b0-46db-beb0-1841e385ce09

Timeline

Publicly Published
2025-03-05 (about 9 months ago)
Added
2025-03-05 (about 9 months ago)
Last Updated
2025-03-05 (about 9 months ago)

Other

Published
Title
Published
2024-11-01
Title
Advanced PDF Generator <= 0.4.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-08-22
Title
Visual Sound <= 1.03 - Settings Update via CSRF
Published
2025-02-03
Title
WP Admin Custom Page <= 1.5.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-09-22
Title
WP Attractive Donations System < 1.29 - Cross-Site Request Forgery
Published
2022-06-20
Title
WP Opt-in <= 1.4.1 - Arbitrary Settings Update via CSRF