WordPress Plugin Vulnerabilities

Database Reset < 3.23 - Cross-Site Request Forgery to WP Reset Plugin Installation

Description

The Database Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.22. This is due to missing or incorrect nonce validation on the install_wpr() function. This makes it possible for unauthenticated attackers to install the WP Reset Plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
wordpress-database-reset
Fixed in 3.23

References

CVE
CVE-2024-1501
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a2e493cf-d022-404d-a501-a6671e6116f4

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
adc1a1ce-de5a-4fd5-8329-710aae356866

Timeline

Publicly Published
2024-02-20 (about 2 years ago)
Added
2024-02-20 (about 2 years ago)
Last Updated
2024-02-20 (about 2 years ago)

Other

Published
Title
Published
2024-02-26
Title
Categorify < 1.0.7.5 - Cross-Site Request Forgery via categorifyAjaxAddCategory
Published
2025-03-27
Title
publish post email notification < 1.0.2.4 - Cross-Site Request Forgery
Published
2023-05-25
Title
Button Generator – easily Button Builder < 2.3.6 - Cross-Site Request Forgery
Published
2025-01-03
Title
WP Simple Sitemap <= 0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-10-16
Title
Forminator Forms < 1.36.0 - Draft Custom Form Creation via CSRF