WordPress Plugin Vulnerabilities

DNUI <= 2.8.1 - Deletion of images through CSRF

Description

The plugin does not have CSRF checks when deleting unused images or pulling image data from the database, which could allow attackers to make logged-in admins perform such action via a CSRF attack

Affects Plugins

Plugin icon
dnui-delete-not-used-image-wordpress
No known fix

References

CVE
CVE-2022-47609

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.3 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
6634a90b-eb4d-4156-b565-82c6ce20cbd2

Timeline

Publicly Published
2023-01-18 (about 3 years ago)
Added
2023-05-23 (about 2 years ago)
Last Updated
2023-05-23 (about 2 years ago)

Other

Published
Title
Published
2023-02-14
Title
Locatoraid Store Locator < 3.9.12 - CSRF
Published
2024-11-28
Title
Load More Posts <= 1.4.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-01-31
Title
WP Coder – Code Snippets + HTML, CSS, JS and PHP Injection < 3.6.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-11-18
Title
SureForms < 1.13.2 - Cross-Site Request Forgery Protection Bypass via Improper Nonce Distribution
Published
2024-06-04
Title
Mollie Forms < 2.6.14 - Cross-Site Request Forgery to Arbitrary Post Duplication