Vulnerability Details :

The Multi-Scheduler plugin 1.0.0 for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in the forms it presents, allowing the possibility of deleting records (users) when an ID is known.

  • Exploit Author: UnD3sc0n0c1d0
  • Vendor Homepage: https://www.bdtask.com/
  • Category: Web Application
  • Version: 1.0.0
  • Download – https://downloads.wordpress.org/plugin/multi-scheduler.1.0.0.zip

Full Proof of Concept (PoC)

Step -1

Step -2

Step -3

Step -4

Step -5

Step -6

BOOM 🙂 !! User will be deleted.

About the Author
Virat Sharma Certified Ethical Hacker, information security analyst, penetration tester and researcher. Can be Contact on Linkedin.

2 thoughts on “Exploit WordPress Plugin Multi-Scheduler 1.0.0 – CSRF (Delete User) (PoC)”

  1. I’m amazed, I must say. Rarely do I come across a blog that’s both educative and amusing, and without
    a doubt, you have hit the nail on the head. The issue is something
    which too few people are speaking intelligently about.

    I’m very happy that I found this during my hunt for something regarding this.

Leave a Reply

Your email address will not be published. Required fields are marked *