Post Meta Data Manager <= 1.2.1 - Cross-Site Request Forgery to Post, Term, and User Meta Deletion

The Post Meta Data Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the pmdm_wp_ajax_delete_meta, pmdm_wp_delete_user_meta, and pmdm_wp_delete_user_meta functions. This makes it possible for unauthenticated attackers to delete arbitrary user, term, and post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

跨站请求伪造(CSRF)

WordPress Plugin Post Meta Data Manager 安全漏洞

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin Post Meta Data Manager 1.2.1及之前版本存在安全漏洞，该漏洞源于缺少随机数验证，容易受到跨站请求伪造攻击，未经身份验证的攻击者可以通过伪造的请求删除任意用户、术语和帖子。

N/A

N/A