1 results (0.002 seconds)

CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1

The Easy Property Listings WordPress plugin before 3.5.4 does not have CSRF check when deleting contacts in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack The Easy Property Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.3. This is due to missing or incorrect nonce validation on the process_bulk_action() function. This makes it possible for unauthenticated attackers to delete contacts in bulk via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/f89c8654-5486-4939-880d-101f33d359c0 • CWE-352: Cross-Site Request Forgery (CSRF) •