WordPress Plugin Vulnerabilities

Herd Effects < 5.2.4 - Effect Deletion via CSRF

Description

The plugin does not have CSRF when deleting its items, which could allow attackers to make logged in admins delete arbitrary effects via a CSRF attack

Proof of Concept

Make a logged in admin open https://example.com/wp-admin/admin.php?page=mwp-herd-effect&info=delete&did=1, this will make them delete the effect with ID 1

Affects Plugins

Plugin icon
mwp-herd-effect
Fixed in 5.2.4

References

CVE
CVE-2023-4318

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Submitter
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
93b40030-3706-4063-bf59-4ec983afdbb6

Timeline

Publicly Published
2023-08-21 (about 8 months ago)
Added
2023-08-21 (about 8 months ago)
Last Updated
2023-08-21 (about 8 months ago)

Other

Published
Title
Published
2015-06-03
Title
Codestyling Localization <= 1.99.30 - Multiple CSRF
Published
2023-10-26
Title
WP Knowledgebase <= 1.3.4 - CSRF
Published
2023-07-10
Title
WooCommerce Pre-Orders < 2.0.3 - Unauthorised Actions via CSRF
Published
2023-07-11
Title
LWS Cleaner < 2.3.1 - Cross-Site Request Forgery
Published
2023-11-07
Title
ANAC XML Bandi di Gara <= 7.5 - Cross-Site Request Forgery via settings.php