CVE-2015-9332 in Uninstall Plugin
Summary
by MITRE
The uninstall plugin before 1.2 for WordPress has CSRF to delete all tables via the wp-admin/admin-ajax.php?action=uninstall URI.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/27/2023
The vulnerability identified as CVE-2015-9332 represents a critical cross-site request forgery weakness in the uninstall plugin for WordPress systems. This flaw affects versions prior to 1.2 of the plugin and exposes administrators to unauthorized table deletion through a specifically crafted malicious request. The vulnerability occurs within the WordPress administrative interface at the wp-admin/admin-ajax.php endpoint where the uninstall action is processed, making it particularly dangerous as it leverages the legitimate administrative functionality of the platform.
The technical implementation of this vulnerability stems from the absence of proper authentication checks and anti-CSRF token validation within the uninstall plugin's handling of administrative requests. When an authenticated administrator visits a malicious website or clicks on a compromised link, the attacker can craft a request that appears to originate from the legitimate WordPress admin interface. The uninstall plugin processes this request without sufficient verification, allowing the deletion of all database tables associated with the plugin. This type of vulnerability falls under the CWE-352 category, which specifically addresses Cross-Site Request Forgery conditions where insufficient validation of user requests permits unauthorized actions to be executed on behalf of authenticated users.
The operational impact of this vulnerability extends beyond simple data loss, as it can completely compromise the integrity and availability of WordPress installations. An attacker who successfully exploits this vulnerability can effectively destroy all plugin data and potentially disrupt the entire WordPress system's functionality. The attack vector requires minimal sophistication and can be executed through simple HTML forms or JavaScript code that automatically submits requests to the vulnerable endpoint. This makes it particularly dangerous for high-privilege accounts such as administrators who maintain critical website functionality and data.
Security professionals should note that this vulnerability aligns with ATT&CK technique T1059.001 for command and scripting interpreter usage, as attackers may leverage the administrative interface to execute destructive commands. The lack of proper input validation and session management creates an environment where attackers can manipulate legitimate administrative functions for malicious purposes. Organizations should prioritize immediate patching of affected installations and implement additional security measures such as network segmentation and monitoring of administrative endpoints. The vulnerability demonstrates the critical importance of validating all administrative requests and implementing robust anti-CSRF protections in WordPress plugins, particularly those that handle destructive operations like database table removal.