CVE-2015-9418

An attacker crafts a link pointing to `wp-admin/admin.php?page=watupro_exams&action=delete&quiz=1` (or any valid quiz ID) and convinces a logged-in WordPress administrator to visit it [ref_id=1]. Because the Watu Pro plugin performs no CSRF token validation on this action, the browser automatically includes the admin's session cookies and the quiz is deleted. The attack requires no authentication on the attacker's part and can be delivered via email, forum post, or any other medium where the admin can be tricked into clicking the link [ref_id=1].

The vulnerable endpoint is `wp-admin/admin.php?page=watupro_exams&action=delete&quiz=N` in the Watu Pro plugin [ref_id=1]. The advisory does not specify the exact file or function name, but the deletion handler lacks any CSRF token verification.

The advisory states that the author reported the issue fixed in version 4.9.0.8, but no patch diff is available in this bundle [ref_id=1]. The expected remediation would be to add a CSRF nonce check to the quiz deletion action so that the request is only processed when accompanied by a valid, session-bound token. The advisory notes that the author disagreed that the issue was exploitable but made changes anyway; dxw recommends upgrading to 4.9.0.8 or later and conducting a security assessment [ref_id=1].

1. Ensure a quiz with ID 1 exists in a WordPress site running Watu Pro before 4.9.0.8. 2. As a logged-in administrator, visit the URL `http://localhost/wp-admin/admin.php?page=watupro_exams&action=delete&quiz=1`. 3. The quiz with ID 1 is deleted without any confirmation or CSRF check [ref_id=1].