WordPress Plugin Vulnerabilities

Delete All Comments Easily <= 1.3 - All Comments Deletion via CSRF

Description

The plugin is lacking Cross-Site Request Forgery (CSRF) checks, which could result in an unauthenticated attacker making a logged in admin delete all comments from the blog.

Affects Plugins

Plugin icon
delete-all-comments-easily
No known fix

References

CVE
CVE-2020-36505
URL
https://medium.com/@hoanhp/0-day-story-2-delete-all-comments-easily-a854e52a7d50

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Hoan Hp
Verified
Yes
WPVDB ID
239f8efa-8fa4-4274-904f-708e65083821

Timeline

Publicly Published
2020-06-16 (about 3 years ago)
Added
2020-06-22 (about 3 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2021-10-21
Title
Core Tweaks WP Setup <= 4.1 - Arbitrary Admin Account Creation / Admin Email Update via CSRF
Published
2022-05-23
Title
WP-chgFontSize <= 1.8 - Arbitrary Settings Update via CSRF to Stored XSS
Published
2024-04-12
Title
AffiEasy < 1.1.6 - Cross-Site Request Forgery
Published
2022-06-20
Title
WP Opt-in <= 1.4.1 - Arbitrary Settings Update via CSRF
Published
2023-12-07
Title
Caddy < 1.9.8 - Cross-Site Request Forgery