Versions before 4.5.1 of the Software License Manager plugin for WordPress have an exploitable Cross-Site Request Forgery (CSRF) vulnerability. Any user logged in to a site with the vulnerable extension can, by clicking a link, be tricked to delete an entry in the plugin’s registered domain database table. The link can be distributed in an email, or on a website the victim user is likely to visit.
The good news is, there’s not much else that can be done by exploiting this weakness. And the attacker needs to know the id of the domain they wish to delete from the database beforehand.
Still, we recommend anybody running version 4.5.0 or earlier of the plugin to upgrade as soon as possible.
- Plugin Name: Software License Manager
- Slug: software-license-manager
- Plugin URI: https://wordpress.org/plugins/software-license-manager/
- Vendor: Tips and Tricks HQ
- Vulnerable versions: <= 4.5.0
- Fixed in version: 4.5.1
- References: CVE-2021-24711, CWE-352, CVSS: 7.6, CWSS: 40.7