WordPress Plugin Vulnerabilities

WP Coder < 2.5.3 - Code Deletion via CSRF

Description

The plugin does not have CSRF check in place when deleting code created by the plugin, which could allow attackers to make a logged in admin delete arbitrary ones via a CSRF attack

Proof of Concept

https://example.com/wp-admin/admin.php?page=wp-coder&info=del&did=1

Affects Plugins

Plugin icon
wp-coder
Fixed in 2.5.3

References

CVE
CVE-2022-2388

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Submitter twitter
kazet1234
Verified
Yes
WPVDB ID
50acd35f-eb31-4aba-bf32-b390e9514beb

Timeline

Publicly Published
2022-07-26 (about 1 years ago)
Added
2022-07-26 (about 1 years ago)
Last Updated
2023-04-22 (about 1 years ago)

Other

Published
Title
Published
2023-02-28
Title
HT Slider For Elementor < 1.4.0 - Arbitrary Plugin Activation via CSRF
Published
2023-01-24
Title
Material Design Icons for Page Builders < 1.4.3 - Settings Update via CSRF
Published
2023-01-20
Title
Bubble Menu - Circle Floating Menu < 3.0.2 - Form Deletion via CSRF
Published
2023-01-17
Title
MainWP Matomo Extension < 4.0.5 - CSRF
Published
2023-12-28
Title
Dynamic Content for Elementor < 2.12.5 - Cross-Site Request Forgery