WordPress Plugin Vulnerabilities

Print My Blog < 3.4.2 - Plugin Deactivation via CSRF

Description

The plugin does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link

Proof of Concept

https://example.com/wp-admin/admin.php?page=print-my-blog-projects&action=uninstall

Affects Plugins

Plugin icon
print-my-blog
Fixed in 3.4.2

References

CVE
CVE-2021-24636

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
db8ace7b-7a44-4620-9fe8-ddf0ad520f5e

Timeline

Publicly Published
2021-08-18 (about 2 years ago)
Added
2021-08-18 (about 2 years ago)
Last Updated
2022-04-09 (about 2 years ago)

Other

Published
Title
Published
2023-10-22
Title
Userback < 1.0.14 - Arbitrary Settings Update via CSRF
Published
2022-05-25
Title
Private Messages For WordPress <= 2.1.10 - Arbitrary Message Sent via CSRF
Published
2021-04-22
Title
Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via CSRF
Published
2022-09-23
Title
3dady Real Time Web Stats <= 1.0 - Stored Cross-Site Scripting via CSRF
Published
2023-09-04
Title
SIS Handball <= 1.0.45 - Settings Update via CSRF