WordPress Plugin Vulnerabilities

Throws SPAM Away < 3.3.1 - Comment Deletion via CSRF

Description

The plugin does not have CSRF checks in place when deleting comments (either all, spam, or pending), allowing attackers to make a logged in admin delete comments via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
throws-spam-away
Fixed in 3.3.1

References

CVE
CVE-2022-1709

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
ac290535-d9ec-459a-abc3-27cd78eb54fc

Timeline

Publicly Published
2022-05-16 (about 3 years ago)
Added
2022-05-16 (about 3 years ago)
Last Updated
2022-05-16 (about 3 years ago)

Other

Published
Title
Published
2025-04-22
Title
affiliate-toolkit < 3.7.4 - Cross-Site Request Forgery
Published
2025-04-07
Title
WPFront User Role Editor < 4.2.2 - Cross-Site Request Forgery to Privilege Escalation via whitelist_options Function
Published
2025-02-24
Title
WordPress File Upload < 4.25.3 - Cross-Site Request Forgery in wfu_file_details
Published
2025-07-03
Title
Trust Payments Gateway for WooCommerce (JavaScript Library) < 1.3.7 - Cross-Site Request Forgery
Published
2025-12-15
Title
Simple Folio < 1.1.1 - Cross-Site Request Forgery