WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Ad Invalid Click Protector (AICP) < 1.2.7 - Arbitrary Ban Deletion via CSRF

Description

The plugin does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans

Proof of Concept

https://example.com/wp-admin/admin.php?page=aicp_banned_user_details&action=delete&id=1

Affects Plugins

ad-invalid-click-protector
Fixed in version 1.2.7

References

CVE
CVE-2022-0191
URL
https://plugins.trac.wordpress.org/changeset/2705068

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website
https://kazet.cc/
Verified

Yes

WPVDB ID
d4c32a02-810f-43d8-946a-b7e18ac54f55

Timeline

Publicly Published

2022-04-05 (about 11 months ago)

Added

2022-04-05 (about 11 months ago)

Last Updated

2022-04-13 (about 11 months ago)

Our Other Services

WPScan WordPress Security Plugin