Custom Searchable Data Entry System <= 1.7.1 - Unauthenticated Data Modification and Deletion (0-day, being exploited)



Description
"The estimated 2,000+ sites running the plugin are vulnerable to Unauthenticated Data Modification and Deletion, including the potential to delete the entire contents of any table in a vulnerable site’s database."

Affects Plugin

no known fix
- plugin closed

References

URL https://www.wordfence.com/blog/2020/03/active-attack-on-zero-day-in-custom-searchable-data-entry-system-plugin/

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Original Researcher Ram Gall (Wordfence)
Views 1379
Verified No
WPVDB ID 10117

Timeline

Publicly Published 2020-03-07 (3 months ago)
Added 2020-03-07 (3 months ago)
Last Updated 2020-03-08 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin