SOPlanning 1.45 is vulnerable to a CSRF attack that allows for arbitrary changing of the admin password via process/xajax_server.php.
Recent assessments:
J3rryBl4nks at March 09, 2020 9:14pm UTC reported:
Because there is no stored XSS (That I could find at least) you need to have interaction for this exploit. It is nice that you can change the admin password and then get SQL Injection to get a shell.
This is not installed on very many servers and is not incredibly valuable.
<https://github.com/J3rryBl4nks/SOPlanning>
Assessed Attacker Value: 1
Assessed Attacker Value: 1Assessed Attacker Value: 5