WordPress Plugin Vulnerabilities

WP125 < 1.5.5 - Arbitrary Ad Deletion via CSRF

Description

The plugin does not have CSRF checks in various action, for example when deleting an ad, allowing attackers to make a logged in admin delete them via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
wp125
Fixed in 1.5.5

References

CVE
CVE-2021-25073
URL
https://plugins.trac.wordpress.org/changeset/2647594

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
922a2037-9b5e-4c94-83d9-99efc494e9e2

Timeline

Publicly Published
2021-12-23 (about 3 years ago)
Added
2021-12-23 (about 3 years ago)
Last Updated
2022-04-10 (about 3 years ago)

Other

Published
Title
Published
2024-06-20
Title
Envira Photo Gallery < 1.8.8 - Cross-Site Request Forgery to Notice Dismissal
Published
2023-11-09
Title
TPG Redirect < 1.0.8 - CSRF
Published
2024-01-30
Title
Post Video Players < 1.160 - Settings Update via CSRF
Published
2019-07-11
Title
Pricing Table < 2.3 - Cross-Site Request Forgery
Published
2025-01-29
Title
CP Contact Form with PayPal < 1.3.53 - Cross-Site Request Forgery