WordPress Plugin Vulnerabilities

Favicon Generator < 2.1 - Arbitrary File Deletion via CSRF

Description

The plugin does not have CSRF and path validation in the output_sub_admin_page_0() function, allowing attackers to make logged in admins delete arbitrary files on the server

Proof of Concept

Affects Plugins

Plugin icon
favicon-generator
Fixed in 2.1

References

CVE
CVE-2024-7864

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.4 (high)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://magos-securitas.com/
Verified
Yes
WPVDB ID
6ce62e78-04a4-46b2-b97f-c4ef8f3258c3

Timeline

Publicly Published
2024-08-23 (about 1 year ago)
Added
2024-08-23 (about 1 year ago)
Last Updated
2024-08-23 (about 1 year ago)

Other

Published
Title
Published
2024-11-23
Title
Protect Your Content <= 1.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2021-06-01
Title
MC4WP: Mailchimp for WordPress < 4.8.5 - Unauthorised Actions via CSRF
Published
2022-05-31
Title
WP Sentry <= 1.0 - Arbitrary Settings Update to Stored XSS via CSRF
Published
2023-03-03
Title
WP Clean Up <= 1.2.3 - Cross-Site Request Forgery (CSRF)
Published
2021-06-30
Title
MZ MBO Access < 2.0.9 - Unauthorised AJAX call