WordPress Plugin Vulnerabilities

Software License Manager < 4.5.1 - Arbitrary Domain Deletion via CSRF

Description

The del_reistered_domains AJAX action of the plugin does not have any CSRF checks, and is vulnerable to a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
software-license-manager
Fixed in 4.5.1

References

CVE
CVE-2021-24711
URL
https://jetpack.com/2021/09/14/csrf-vulnerability-found-in-software-license-manager-plugin/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Harald Eilertsen (JetPack)
Submitter
Harald Eilertsen
Verified
Yes
WPVDB ID
3351bc30-e5ff-471f-8d1c-b1bcdf419937

Timeline

Publicly Published
2021-09-13 (about 4 years ago)
Added
2021-09-13 (about 4 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2024-08-16
Title
Bricks < 1.8.2 - Cross-Site Request Forgery via save_settings
Published
2024-06-20
Title
MasterStudy LMS < 3.2.2 - Cross-Site Request Forgery
Published
2025-09-05
Title
Invelity MyGLS connect <= 1.1.1 - Cross-Site Request Forgery
Published
2023-07-04
Title
WebwinkelKeur < 3.25 - Cross-Site Request Forgery
Published
2024-06-20
Title
Digital Newspaper < 1.1.6 - Cross-Site Request Forgery to Notice Dismissal