Vigil@nce - WordPress Simple Membership: Cross Site Request Forgery via Bulk Operation menu
September 2019 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer/Computer-vulnerability-database-and-alert
SYNTHESIS OF THE VULNERABILITY
An attacker can trigger a Cross Site Request Forgery via Bulk
Operation menu of WordPress Simple Membership, in order to force
the victim to perform operations.
– Impacted products: WordPress Plugins not comprehensive.
– Severity: 2/4.
– Consequences: user access/rights.
– Provenance: internet client.
– Confidence: confirmed by the editor (5/5).
– Creation date: 29/07/2019.
DESCRIPTION OF THE VULNERABILITY
The Simple Membership plugin can be installed on WordPress.
However, the origin of queries is not checked. They can for
example originate from an image included in an HTML document.
An attacker can therefore trigger a Cross Site Request Forgery via
Bulk Operation menu of WordPress Simple Membership, in order to
force the victim to perform operations.
ACCESS TO THE FULL VIGIL@NCE BULLETIN