WordPress Plugin Vulnerabilities

WooCommerce Custom Registration Form <= 1.0.4 - Arbitrary Field Deletion and Form Modification via CSRF

Description

The plugin does not properly check for CSRF in its del_field and save_all_data AJAX actions, allowing attacker to make logged in user call them via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
fma-additional-registration-attributes
No known fix

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.6 (high)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
41599b8c-3441-456a-b77c-866a129f3cf1

Timeline

Publicly Published
2021-06-30 (about 4 years ago)
Added
2021-06-30 (about 4 years ago)
Last Updated
2021-06-30 (about 4 years ago)

Other

Published
Title
Published
2025-01-07
Title
Prayer Times Anywhere <= 2.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-09-04
Title
Realbig < 1.0.7 - Settings Update via CSRF
Published
2024-02-02
Title
Quicksand Post Filter jQuery Plugin <= 3.1.1 - Cross-Site Request Forgery via renderAdmin
Published
2024-06-28
Title
Uncanny Automator Pro < 5.3.0.1 - Cross-Site Request Forgery to License Setting Reset
Published
2023-09-25
Title
BEAR for WordPress < 1.1.4 - Arbitrary Settings Update via CSRF