WordPress Plugin Vulnerabilities

WP125 < 1.5.5 - Arbitrary Ad Deletion via CSRF

Description

The plugin does not have CSRF checks in various action, for example when deleting an ad, allowing attackers to make a logged in admin delete them via a CSRF attack

Proof of Concept

https://example.com/wp-admin/admin.php?page=wp125_addedit&deletead=1

Affects Plugins

Plugin icon
wp125
Fixed in 1.5.5

References

CVE
CVE-2021-25073
URL
https://plugins.trac.wordpress.org/changeset/2647594

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
922a2037-9b5e-4c94-83d9-99efc494e9e2

Timeline

Publicly Published
2021-12-23 (about 2 years ago)
Added
2021-12-23 (about 2 years ago)
Last Updated
2022-04-10 (about 2 years ago)

Other

Published
Title
Published
2021-03-01
Title
Style Kits < 1.8.1 - Cross-Site Request Forgery
Published
2023-12-28
Title
WPC Product Bundles for WooCommerce < 7.3.2 - Cross-Site Request Forgery
Published
2024-04-01
Title
SecuPress Free — WordPress Security < 2.2.5.2 - Cross-Site Request Forgery to Banned IP Address
Published
2015-01-22
Title
Contact Form 3.82 - Unauthorized Language Manipulation
Published
2023-05-25
Title
Product Gallery Slider for WooCommerce < 2.2.9 - Cross-Site Request Forgery (CSRF)