WordPress Plugin Vulnerabilities

NextScripts: Social Networks Auto-Poster < 4.3.25 - Arbitrary Post Deletion via CSRF

Description

The plugin does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
social-networks-auto-poster-facebook-twitter-g
Fixed in 4.3.25

References

CVE
CVE-2021-25072

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
53d2c61d-ce73-40e0-a113-9d76d8fecc91

Timeline

Publicly Published
2022-01-03 (about 3 years ago)
Added
2022-01-03 (about 3 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2024-01-30
Title
Don't Muck My Markup <= 1.8 - Cross-Site Request Forgery
Published
2025-01-16
Title
Geotagged Media <= 0.3.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-08-21
Title
DX-auto-save-images <= 1.4.0 - CSRF
Published
2023-09-11
Title
Checkout Field Editor < 1.7.5 - Checkout Fields Update via CSRF
Published
2024-04-10
Title
Currency per Product for WooCommerce < 1.7.0 - Cross-Site Request Forgery to Notice Dismissal