WP OAuth Server by Justin Greer <= 4.2.3 - Arbitrary Post Deletion via CSRF
LANACOMMONVDB ID: 260c6c27-3b96-4938-92d2-7c879f879fd6
The plugin does not have Cross-Site Request Forgery (CSRF) check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a Cross-Site Request Forgery (CSRF) attack.
Lana Passport Recommendation
Hey, you’re reading a publication about OAuth. Maybe you’re interested in our secure OAuth server plugin?