Pardakht Delkhah < 2.9.9 – Form Fields Reset via CSRF | CVE 2024-6230 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when resetting its form fields, which could allow attackers to make a logged in admin perform such action via a CSRF attack

Proof of Concept

Have an admin visit:

https://example.com/wp-admin/edit.php?post_type=cupri_pay&page=cupri-fields&cupri_reset_form=true

Any customization of the plugin's form fields will be reset

Affects Plugins

pardakht-delkhah

Fixed in 2.9.9

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

311e3c15-0f58-4f3b-91f8-0c62c0eea55e

Timeline

Publicly Published

2024-07-09 (about 1 year ago)

Added

2024-07-09 (about 1 year ago)

Last Updated

2024-11-29 (about 1 year ago)

Other

Published

Title

Published

2023-10-16

Title

Sort SearchResult By Title < 11.0 - CSRF

Published

2023-12-06

Title

Multi Currency For WooCommerce < 1.5.6 - Cross-Site Request Forgery

Published

2022-03-08

Title

Analytics Cat < 1.1.0 - Settings Update via CSRF

Published

2025-09-26

Title

cForms – Light speed fast Form Builder <= 3.0.0 - Cross-Site Request Forgery

Published

2025-04-09

Title

WP shop <= 2.6.1 - Arbitrary File Upload via CSRF