WordPress Plugin Vulnerabilities

NextScripts: Social Networks Auto-Poster < 4.3.25 - Arbitrary Post Deletion via CSRF

Description

The plugin does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attack

Proof of Concept

https://example.com/wp-admin/admin.php?page=nxssnap-reposter&item=1&action=delete

Affects Plugins

Plugin icon
social-networks-auto-poster-facebook-twitter-g
Fixed in 4.3.25

References

CVE
CVE-2021-25072

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
53d2c61d-ce73-40e0-a113-9d76d8fecc91

Timeline

Publicly Published
2022-01-03 (about 2 years ago)
Added
2022-01-03 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2023-07-12
Title
Justin Klein WP Social AutoConnect < 4.6.2 - Cross-Site Request Forgery
Published
2024-01-05
Title
WP Job Manager < 2.1.0 - Cross-Site Request Forgery
Published
2023-09-05
Title
Backup Migration < 1.3.0 - Cross-Site Request Forgery
Published
2018-04-23
Title
Ultimate Member < 2.0.7 - Multiple Cross-Site Request Forgery Issues
Published
2021-05-08
Title
Zlick Paywall < 2.2.2 - CSRF Bypasses