WordPress Plugin Vulnerabilities
Paypal Donation < 1.3.1 - CSRF to Arbitrary Post Deletion
Description
The plugin provides a function to create donation buttons which are internally stored as posts. The deletion of a button is not CSRF protected and there is no control to check if the deleted post was a button post. As a result, an attacker could make logged in admins delete arbitrary posts
Proof of Concept
https://example.com/wp-admin/admin.php?page=wpedon_buttons&action=delete&inline=true&product=<target post id>
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-10-04 (about 2 years ago)
Added
2021-10-04 (about 2 years ago)
Last Updated
2022-04-15 (about 2 years ago)