Paypal Donation < 1.3.1 – CSRF to Arbitrary Post Deletion | CVE 2021-24572

Description

The plugin provides a function to create donation buttons which are internally stored as posts. The deletion of a button is not CSRF protected and there is no control to check if the deleted post was a button post. As a result, an attacker could make logged in admins delete arbitrary posts

Proof of Concept

https://example.com/wp-admin/admin.php?page=wpedon_buttons&action=delete&inline=true&product=<target post id>

Affects Plugins

easy-paypal-donation

Fixed in 1.3.1

References

CVE

CVE-2021-24572

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

CVSS

5.4 (medium)

Miscellaneous

Original Researcher

dc11

Submitter

dc11

Verified

Yes

WPVDB ID

7b1ebd26-ea8b-448c-a775-66a04102e44f

Timeline

Publicly Published

2021-10-04 (about 4 years ago)

Added

2021-10-04 (about 4 years ago)

Last Updated

2022-04-15 (about 3 years ago)

Other

Published

Title

Published

2025-04-09

Title

WP Map Route Planner <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2023-11-15

Title

Disable User Login < 1.3.9 - User Login Toggle via CSRF

Published

2023-05-25

Title

Custom Twitter Feeds (Tweets Widget) < 2.0 - Cross-Site Request Forgery (CSRF)

Published

2022-06-30

Title

Popup Builder < 4.1.12 - Settings Update via CSRF

Published

2024-05-27

Title

Integration for Contact Form 7 and Constant Contact < 1.1.6 - CSRF