WordPress Plugin Vulnerabilities

Shoppable Images Lite < 1.2.4 - Arbitrary Post Deletion via CSRF

Description

The plugin does not have CSRF checks in some places, for example when deleting/updating images. Furthermore, it does not ensure that the image to be deleted are actually images, which could allow attackers to make logged in admins delete arbitrary posts via a CSRF attack

Affects Plugins

Plugin icon
mabel-shoppable-images-lite
Fixed in 1.2.4

References

CVE
CVE-2023-25698

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Rio Darmawan
Verified
No
WPVDB ID
f4c2366d-473a-461e-a6bd-e05463594223

Timeline

Publicly Published
2023-02-13 (about 3 years ago)
Added
2023-05-18 (about 2 years ago)
Last Updated
2023-05-18 (about 2 years ago)

Other

Published
Title
Published
2023-07-17
Title
WooCommerce Ship to Multiple Addresses < 3.8.6 - Cross-Site Request Forgery
Published
2019-07-16
Title
Ultra Simple Paypal Shopping Cart <= 4.4 - Cross-Site Request Forgery (CSRF)
Published
2023-09-05
Title
Backup Migration < 1.3.0 - Cross-Site Request Forgery
Published
2024-11-11
Title
W3SPEEDSTER < 7.27 - Cross-Site Request Forgery
Published
2024-02-27
Title
Gestpay for WooCommerce < 20240307 - Cross-Site Request Forgery (CSRF) via ajax_delete_card