WordPress Plugin Vulnerabilities

CRM: Contact Management Simplified – UkuuPeople <= 1.6.3 - Unauthorised Favourite Addition/Deletion

Description

The plugin does not properly check for CSRF in its ukuu_add_to_fav AJAX action, allowing attacker to make logged in users call them them and add or delete arbitrary favourite post.

Proof of Concept

Affects Plugins

Plugin icon
ukuupeople-the-simple-crm
No known fix

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
bb0b964e-cb85-437c-a199-ab1b5a7cb6d0

Timeline

Publicly Published
2021-07-05 (about 4 years ago)
Added
2021-07-05 (about 4 years ago)
Last Updated
2021-07-05 (about 4 years ago)

Other

Published
Title
Published
2025-01-16
Title
WP Custom Google Search <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-04-11
Title
Siteimprove < 2.0.7 - Cross-Site Request Forgery
Published
2025-02-27
Title
RateMyAgent Official < 1.5.0 - Cross-Site Request Forgery to API Key Update
Published
2025-11-26
Title
Reuters Direct <= 3.0.0 - Cross-Site Request Forgery to Settings Reset
Published
2023-08-21
Title
Herd Effects < 5.2.4 - Effect Deletion via CSRF