WordPress WHIZZ Cross Site Request Forgery

WordPress WHIZZ plugin versions prior to 1.1.1 suffer from multiple cross site request forgery vulnerabilities.

MD5 | 3397ac87338546a99b84597adde36cf0

Software: WordPress WHIZZ
Version: <1.1.1
Homepage: https://wordpress.org/plugins/whizz/

Get type CSRF in WordPress WHIZZ allows attackers to delete any wordpress users and change plugins status


include in the page ,then attack will occur:

delete user:

<img src="">

active or disactive plugins:

<img src="">

<img src="">

Disable the plugin until a new version is released that fixes this bug.


https://wordpress.org/plugins/whizz/ 1.1.1 changelog->Specifically

Best regards,

Zhiyang Zeng of Tencent security platform department

Related Posts