WordPress Plugin Vulnerabilities

WP Clean Up <= 1.2.3 - Cross-Site Request Forgery (CSRF)

Description

The plugin does not protect its wp_clean_up_optimize action against CSRF attacks, allowing an unauthenticated attacker to perform various database clean-up operations by tricking a logged in user to submit a crafted request.

Affects Plugins

Plugin icon
wp-clean-up
No known fix

References

CVE
CVE-2023-25034
URL
https://patchstack.com/database/vulnerability/wp-clean-up/wordpress-wp-clean-up-plugin-1-2-3-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
71c9d22e-d269-4473-a93f-706a3d6d8513

Timeline

Publicly Published
2023-03-03 (about 3 years ago)
Added
2023-05-29 (about 2 years ago)
Last Updated
2023-05-29 (about 2 years ago)

Other

Published
Title
Published
2024-04-11
Title
Side Menu Lite < 4.2.1 - Menu Deletion via CSRF
Published
2024-08-16
Title
AFI – The Easiest Integration Plugin < 1.89.6 - Cross-Site Request Forgery
Published
2023-10-09
Title
EventPrime < 3.2.0 - Booking Creation via CSRF
Published
2021-07-05
Title
Abandoned Cart Recovery for WooCommerce < 1.0.4.1 - Cross-Site Request Forgery
Published
2023-03-31
Title
Really Simple Google Tag Manager < 1.0.7 - Arbitrary Plugin Activation via CSRF