WordPress Plugin Vulnerabilities

Haxcan <= 1.0.0 - CSRF Bypass

Description

The plugin does not properly check for CSRF in its get_ajax_response AJAX action, allowing attacker to make logged in admin call them it via CSRF attack and add arbitrary files in quarantine for example.

Proof of Concept

Affects Plugins

Plugin icon
haxcan
No known fix

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
6753dd6b-c14c-46ef-bace-b43cf2ef7e3e

Timeline

Publicly Published
2021-07-05 (about 4 years ago)
Added
2021-07-05 (about 4 years ago)
Last Updated
2021-07-05 (about 4 years ago)

Other

Published
Title
Published
2020-04-02
Title
Woocommerce Subscriptions < 3.0.3 - CSRF to Cancel/Re-Activate Subscription
Published
2023-09-29
Title
Contact Form < 2.0.12 - Form Styling Update via CSRF
Published
2021-04-14
Title
Fitness Calculators < 1.9.6 - Cross-Site Request Forgery to Cross-Site Scripting (XSS)
Published
2025-02-28
Title
Simple:Press < 6.10.13 - Cross-Site Request Forgery to Unauthorized Post Editing
Published
2025-01-16
Title
ECT Add to Cart Button <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting