WordPress Uninstall <= 1.2.1 – WordPress Deletion via CSRF | CVE 2015-9332

Description

The plugin does not have any CSRF check in place, allowing attackers to make a logged in admin delete the entire WordPress installation

v1.2 attempted to fix the issue by adding an authorisation check to ensure that the user executing the request is an admin, which does not fix anything CSRF related.

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=uninstall

Affects Plugins

uninstall

No known fix

References

CVE

CVE-2015-9332

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

CVSS

8.1 (high)

Miscellaneous

Submitter

SecuBeastTeam

Verified

Yes

WPVDB ID

a8b8c943-1168-4652-9b31-8bfc5810ebfe

Timeline

Publicly Published

2015-02-11 (about 11 years ago)

Added

2014-12-11 (about 11 years ago)

Last Updated

2021-08-30 (about 4 years ago)

Other

Published

Title

Published

2024-10-31

Title

Alphabetical List <= 1.0.3 - Settings Update via CSRF

Published

2025-06-27

Title

ONet Regenerate Thumbnails <= 1.5 - Cross-Site Request Forgery

Published

2025-12-04

Title

Norby AI <= 1.0.3 - Cross-Site Request Forgery to Settings Update

Published

2026-01-13

Title

Stopwords for comments <= 1.1 - Missing Authorization to Cross-Site Request Forgery

Published

2024-11-22

Title

ITERAS < 1.8.1 - Stored XSSS via CSRF