Bulk Me Now <= 2.0 – Message Deletion via CSRF | CVE 2024-12709

Description

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks.

Proof of Concept

Have an admin go to:

https://example.com/wp-admin/admin.php?page=bulkmenow-list&button_action=send_trash&message_id=1&status=3&paged=0

"message_id" can be changed to any valid ID and the item will be deleted.

Affects Plugins

bulk-me-now

No known fix

References

CVE

CVE-2024-12709

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

4.3 (medium)

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

bobmatyas

Verified

Yes

WPVDB ID

d93056f1-1a6e-405f-a094-d4d270393f87

Timeline

Publicly Published

2025-01-09 (about 11 months ago)

Added

2025-01-09 (about 11 months ago)

Last Updated

2025-01-09 (about 11 months ago)

Other

Published

Title

Published

2025-01-07

Title

Biltorvet Dealer Tools <= 1.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-05-31

Title

GTM4WP < 1.15.2 - Admin+ Stored Cross-Site Scripting

Published

2019-02-05

Title

WP Live Chat Support < 8.0.18 - Cross-Site Scripting (XSS)

Published

2025-09-29

Title

Big Post Shipping for WooCommerce < 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-02-20

Title

Schedule <= 1.0.0 - Reflected XSS