WP-Members < 3.2.8.1 – Cross-Site Request Forgery (CSRF) | CVE 2019-15660 | Plugin Vulnerabilities

Description

No CSRF Protection on Add new Fields.

Can also Edit and Delete fields the same way.

Proof of Concept

1.Download csrf_wp-members.html
2.Change URL in html file.(FORM ACTION).
3.Submit Request.

Video POC : https://drive.google.com/file/d/1TuJK0NjxznjTDmoJF5wbGu2vMA_XXikw/view?usp=sharing
HTML_FILE : https://drive.google.com/file/d/131SkyhmXfOZeZV8ph6Y8QOaSVG3WxvdZ/view?usp=sharing

Affects Plugins

Fixed in 3.2.8.1

References

CVE

URL

https://plugins.trac.wordpress.org/changeset?reponame=&new=2107103%40wp-members&old=2100770%40wp-members

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

m0ns7er

Submitter

Akash Labade

Submitter website

https://www.asfaleia.tech

Submitter twitter

Verified

Yes

WPVDB ID

e193faba-4589-45c7-aa4c-caa3ce5a0072

Timeline

Publicly Published

2019-06-13 (about 6 years ago)

Added

2019-06-14 (about 6 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2025-06-13

Title

WP URL Shortener <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-01-03

Title

BSK Forms Blacklist < 4.0 - SQLi via CSRF

Published

2023-07-10

Title

WooCommerce Pre-Orders < 2.0.3 - Unauthorised Actions via CSRF

Published

2025-01-03

Title

Autocompleter <= 1.3.5.2 - Cross-Site Request Forgery

Published

2025-09-26

Title

Multilang Contact Form <= 1.5 - Cross-Site Request Forgery