WordPress Plugin Vulnerabilities

WP-PManager <= 1.2 - Category Deletion via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
wp-programmmanager
No known fix

References

CVE
CVE-2025-2247

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Submitter twitter
bobmatyas
Verified
Yes
WPVDB ID
3974c5c3-887e-46bd-aad7-4f3169bff6de

Timeline

Publicly Published
2025-02-16 (about 10 months ago)
Added
2025-03-19 (about 9 months ago)
Last Updated
2025-03-19 (about 9 months ago)

Other

Published
Title
Published
2022-11-09
Title
WPML < 4.5.14 - CSRF
Published
2024-01-30
Title
Affiliates Manager < 2.9.35 - Cross-Site Request Forgery
Published
2025-03-24
Title
WordPress Admin Bar Improved <= 3.3.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-11-22
Title
WP-Orphanage Extended < 1.3 - Cross-Site Request Forgery to Orphan Account Privilege Escalation
Published
2022-08-02
Title
MaxButtons < 9.3 - Arbitrary Settings Update via CSRF