WordPress Plugin Vulnerabilities

Bulk Delete Users by Email < 2.0.0 - User Deletion via CSRF

Description

The plugin does not have CSRF check when deleting users, which could allow attackers to make a logged in admin delete non admin users by knowing their email via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
bulk-delete-users-by-email
Fixed in 2.0.0

References

CVE
CVE-2022-4266

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
WPScan
Verified
Yes
WPVDB ID
1bcda9d3-c573-441e-828f-055fbec2e08d

Timeline

Publicly Published
2022-12-02 (about 3 years ago)
Added
2022-12-02 (about 3 years ago)
Last Updated
2025-09-26 (about 2 months ago)

Other

Published
Title
Published
2025-04-04
Title
Sequential Order Numbers for WooCommerce < 3.6.3 - Cross-Site Request Forgery
Published
2024-10-14
Title
Linked Variation for WooCommerce < 2.0.0 - CSRF
Published
2023-03-20
Title
Simple Mobile URL Redirect <= 1.7.2 - Cross-Site Request Forgery
Published
2025-09-05
Title
SimaCookie <= 1.3.2 - Cross-Site Request Forgery
Published
2023-10-31
Title
GiveWP < 2.33.4 - Cross-Site Request Forgery to plugin deactivation