21 Jun

Cross-Site Request Forgery (CSRF)/Media Deletion Vulnerability in Import users from CSV with meta

One of the changelog entries for the latest version of Import users from CSV with meta is “XSS problem fixed when displaying data imported thanks to lckjack who reports it”, while looking to see if there was a vulnerability related to that we should be notifying the customers of our service about if they use that plugin, we found a vulnerability we could confirm still exists. It turns out the plugin’s functionality for deleting files uploaded through it isn’t properly secured, so an attacker could cause logged in Administrators to delete any WordPress media files without intending it.

[Read more]