Themes Vulnerabilities
Ask Me < 6.8.7 - Post Deletion via CSRF
Description
The plugin has a CSRF vulnerability that allows the deletion of a post without using a nonce or prompting for confirmation.
Proof of Concept
An attacker can log in to their own account, grab the link structure of the post-deletion request, and then forge it to the victim's post ID and send it to the victim. As soon as the victim accesses the link, the post will be deleted without asking for confirmation or using a nonce.
Affects Themes
Fixed in 6.8.7
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Srijan Adhikari
Submitter
Srijan Adhikari
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-10-28 (about 1 years ago)
Added
2022-10-28 (about 1 years ago)
Last Updated
2022-10-31 (about 1 years ago)