WordPress Plugin Vulnerabilities
Herd Effects < 5.2.4 - Effect Deletion via CSRF
Description
The plugin does not have CSRF when deleting its items, which could allow attackers to make logged in admins delete arbitrary effects via a CSRF attack
Proof of Concept
Make a logged in admin open https://example.com/wp-admin/admin.php?page=mwp-herd-effect&info=delete&did=1, this will make them delete the effect with ID 1
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Erwan LR (WPScan)
Submitter
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-08-21 (about 8 months ago)
Added
2023-08-21 (about 8 months ago)
Last Updated
2023-08-21 (about 8 months ago)