WordPress Plugin Vulnerabilities

Simple Membership < 4.1.0 - Arbitrary Transaction Deletion via CSRF

Description

The plugin does not have CSRF check in place when deleting Transactions, which could allow attackers to make a logged in admin delete arbitrary transactions via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
simple-membership
Fixed in 4.1.0

References

CVE
CVE-2022-0681

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
muhamad hidayat
Submitter
muhamad hidayat
Submitter website
https://muh-hidayat7799.medium.com/
Submitter twitter
hidesu_ae
Verified
Yes
WPVDB ID
c5765816-4439-4c14-a847-044248ada0ef

Timeline

Publicly Published
2022-02-25 (about 3 years ago)
Added
2022-02-25 (about 3 years ago)
Last Updated
2022-04-17 (about 3 years ago)

Other

Published
Title
Published
2025-01-16
Title
Copyright Safeguard Footer Notice <= 3.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-01-16
Title
Frontpage Manager <= 1.3 - Cross-Site Request Forgery via admin_page
Published
2025-09-26
Title
HTACCESS IP Blocker <= 1.0 - Cross-Site Request Forgery
Published
2024-12-12
Title
Admin Customization <= 2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-03-22
Title
LiteSpeed Cache <= 5.3 - CSRF