Multi Scheduler <= 1.0.0 - Arbitrary Record Deletion via CSRF



Description
The lack of CSRF check could allow attacker to delete arbitrary records from the plugin (for example Professional ones) via a CSRF attack.

The issue is not patched, and has ben escalated to WP plugins team on May 29th, 2020
Proof of Concept The PoC will be displayed once the issue has been remediated.

Affects Plugin

no known fix
- plugin closed

References

CVE 2020-13426
ExploitDB 48532

Classification

Type CSRF
CWE CWE-352

Miscellaneous

Original Researcher UnD3sc0n0c1d0
Views 1293
Verified Yes
WPVDB ID 10245

Timeline

Publicly Published 2020-05-29 (about 1 month ago)
Added 2020-05-29 (about 1 month ago)
Last Updated 2020-06-23 (16 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin