WordPress Plugin Vulnerabilities

Multi Scheduler <= 1.0.0 - Arbitrary Record Deletion via CSRF

Description

The lack of CSRF check could allow attacker to delete arbitrary records from the plugin (for example Professional ones) via a CSRF attack.

The issue is not patched, and has ben escalated to WP plugins team on May 29th, 2020

Proof of Concept

Affects Plugins

Plugin icon
multi-scheduler
No known fix

References

CVE
CVE-2020-13426
Exploitdb
48532

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.2 (high)

Miscellaneous

Original Researcher
UnD3sc0n0c1d0
Verified
Yes
WPVDB ID
dfcdbefd-5d17-4a64-b797-92192360b070

Timeline

Publicly Published
2020-05-29 (about 5 years ago)
Added
2020-05-29 (about 5 years ago)
Last Updated
2020-06-23 (about 5 years ago)

Other

Published
Title
Published
2022-01-24
Title
Coming soon and Maintenance mode < 3.6.8 - Arbitrary Email Sending to Subscribed Users via CSRF
Published
2021-11-15
Title
WP Limits <= 1.0 - Plugin's Settings Update via CSRF
Published
2025-12-04
Title
Custom Sidebars by ProteusThemes <= 1.0.3 - Cross-Site Request Forgery
Published
2024-04-25
Title
MF Gig Calendar <= 1.2.1 - Cross-Site Request Forgery
Published
2024-09-16
Title
PropertyHive < 2.0.20 - Cross-Site Request Forgery via save_account_details