WordPress Plugin Vulnerabilities

Easy Pricing Tables < 3.1.3 - Arbitrary Post Removal via CSRF

Description

The plugin does not verify the CSRF nonce when removing posts, allowing attackers to make a logged in admin remove arbitrary posts from the blog via a CSRF attack, which will be put in the trash

Proof of Concept

Affects Plugins

Plugin icon
easy-pricing-tables
Fixed in 3.1.3

References

CVE
CVE-2021-25098

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
960a634d-a88a-4d90-9ac3-7d24b1fe07fe

Timeline

Publicly Published
2022-02-01 (about 3 years ago)
Added
2022-02-01 (about 3 years ago)
Last Updated
2022-04-13 (about 3 years ago)

Other

Published
Title
Published
2024-05-31
Title
CB (legacy) <= 0.9.4.18 - Code/Timeframe/Booking Deletion via CSRF
Published
2023-07-10
Title
WooCommerce Pre-Orders < 2.0.3 - Arbitrary Pre-Order Canceling via CSRF
Published
2023-07-20
Title
Disabler < 4.0.0 - CSRF
Published
2025-08-25
Title
SEO For Images <= 1.0.0 - Cross-Site Request Forgery
Published
2025-04-09
Title
ALD Login Page < 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting