CSRF vulnerability | WordPress.org

Resolved aboutsource
(@aboutsource)

11 years, 3 months ago

Taken from https://wpvulndb.com/vulnerabilities/7715

Description: Any registered user can delete all WordPress database tables and files. A browser request makes it possible: http://wp.dev/wp-admin/admin-ajax.php?action=uninstall
The plugin does not check for user rights

https://wordpress.org/plugins/uninstall/

Viewing 1 replies (of 1 total)

Plugin Author Ronni
(@quackquacker)

11 years, 2 months ago

Thanks for the notice, sorry about the delay, I did not notice it.

The plugin now checks if the user trying to uninstall is administrator.

As a added bonus I have added a warning not to activate the plugin unless your ready to get everything uninstalled.

Viewing 1 replies (of 1 total)

The topic ‘CSRF vulnerability’ is closed to new replies.

1 reply
2 participants
Last reply from: Ronni
Last activity: 11 years, 2 months ago
Status: resolved