WordPress Uninstall <= 1.1 - WordPress Deletion via CSRF

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Any registered user can delete all WordPress database tables and files.

This request makes it possible:
http://wp.dev/wp-admin/admin-ajax.php?action=uninstall

Affects

Plugin uninstall
fixed in version 1.2

References

URL http://pastebin.com/5QTTTSUV

Classification

Type CSRF
OWASP Top 10 A8: Cross-Site Request Forgery (CSRF)
CWE CWE-352

Miscellaneous

Submitter SecuBeastTeam
Views 122
Verified No
WPVDB ID 7715

Timeline

Publicly Published 2015-02-11 (almost 2 years ago)
Added 2014-12-11 (almost 2 years ago)
Last Updated 2015-05-15 (over 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.