WordPress Plugin Vulnerabilities

WP Dependency Installer < 4.3.1 - Arbitrary Plugin Installation from Dependency via CSRF

Description

The wp-dependency-installer library, used in the plugins, does not have CSRF check in its dependency_installer AJAX action with the install method, which could allow attackers to make a logged in admin install plugins defined in the wp-dependencies.json via a CSRF attack.

Proof of Concept

Affects Plugins

Plugin icon
classic-editor-addon
Fixed in 2.6.4
Plugin icon
wp-debugging
Fixed in 2.11.7
Plugin icon
lean-wp
No known fix

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
3.7 (low)

Miscellaneous

Original Researcher
Jan w Oleju
Submitter
Jan w Oleju
Verified
Yes
WPVDB ID
49680f00-ce9d-4089-ad50-034407f428f3

Timeline

Publicly Published
2022-01-24 (about 4 years ago)
Added
2022-01-24 (about 4 years ago)
Last Updated
2022-01-24 (about 4 years ago)

Other

Published
Title
Published
2022-11-11
Title
AdRotate Banner Manager < 5.9.1 - Password Change via CSRF
Published
2024-12-12
Title
Multiple Admin Emails <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-10-13
Title
wpNamedUsers <= 0.5 - Cross-Site Request Forgery
Published
2024-04-05
Title
WordPress Tooltips < 9.5.3 - Cross-Site Request Forgery
Published
2023-11-21
Title
UserPro < 5.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via userpro_save_userdata