WordPress Plugin Vulnerabilities

Word Balloon < 4.20.3 - Avatar Removal via CSRF

Description

The plugin does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to trick a logged in user to delete arbitrary avatars by clicking a link.

Proof of Concept

Affects Plugins

Plugin icon
word-balloon
Fixed in 4.20.3

References

CVE
CVE-2023-5884

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://cert.pl
Submitter twitter
cert_polska_en
Verified
Yes
WPVDB ID
f4a7937c-6f4b-49dd-b88a-67ebe718ad19

Timeline

Publicly Published
2023-11-13 (about 2 years ago)
Added
2023-11-13 (about 2 years ago)
Last Updated
2023-11-13 (about 2 years ago)

Other

Published
Title
Published
2021-02-16
Title
Ninja Forms < 3.4.34 - CSRF to OAuth Service Disconnection
Published
2024-07-05
Title
Master Slider < 3.10.0 - CSRF to slider deletion
Published
2014-08-01
Title
Ultimate Auction 1.0 - Cross-Site Request Forgery (CSRF)
Published
2025-04-04
Title
AI Content Creator <= 1.2.6 - Cross-Site Request Forgery
Published
2015-05-05
Title
WP Ultimate CSV Importer < 3.7.3 - Various CSRF