Pardakht Delkhah <= 2.9.8 - Form Fields Reset via CSRF
Description
The پلاگین پرداخت دلخواه WordPress plugin through 2.9.8 lacks CSRF protection on its form fields reset action, allowing attackers to trick admins into resetting the fields via a crafted request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The پلاگین پرداخت دلخواه WordPress plugin through 2.9.8 lacks CSRF protection on its form fields reset action, allowing attackers to trick admins into resetting the fields via a crafted request.
Vulnerability
The پلاگین پرداخت دلخواه (Pardakht Delkhah) WordPress plugin, through version 2.9.8, lacks a Cross-Site Request Forgery (CSRF) check when resetting its form fields. This means the reset action can be triggered without verifying the intent of the logged-in administrator. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) [1].
Exploitation
An attacker can craft a malicious link or page that, when visited by an authenticated administrator, automatically sends a forged request to reset the plugin's form fields. No special privileges or complex prerequisites are needed beyond convincing the admin to interact with the attacker-controlled content. The admin's browser will execute the request, leveraging their active session [1].
Impact
Successful exploitation allows the attacker to reset the form fields of the plugin. This could disrupt the plugin's configuration and stored data, potentially causing a loss of service or requiring the admin to reconfigure settings. The impact is limited to this action and does not directly lead to remote code execution or privilege escalation [1].
Mitigation
The vulnerability is fixed in version 2.9.9 of the plugin [1]. Users should update to this version or later. No other workarounds are documented in the available references. The plugin is not listed on the CISA KEV catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)
- Range: <=2.9.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF (nonce) check on the form-field reset action allows an attacker to forge requests on behalf of an authenticated administrator."
Attack vector
An attacker crafts a malicious link or form that, when visited by a logged-in administrator, triggers a cross-site request (CSRF) to the plugin's form-field reset action. Because the plugin lacks a CSRF check on this action [CWE-352], the browser automatically includes the admin's session cookies, causing the request to be processed as if the admin intended it [ref_id=1]. The attack requires no special network position beyond the ability to deliver the crafted request to the victim admin.
Affected code
The advisory does not specify exact file paths or function names. The vulnerability resides in the form-field reset functionality of the پلاگین پرداخت دلخواه (Pardakht Delkhah) WordPress plugin versions through 2.9.8 [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 2.9.9 [ref_id=1]. No patch diff is provided in the bundle, but the remediation would involve adding a nonce check (CSRF token) to the form-field reset action, so that the server verifies the request originated from the intended admin session rather than from an external attacker-forced request.
Preconditions
- authThe attacker must trick a logged-in WordPress administrator into visiting a crafted URL or page.
- configThe target site must be running the پلاگین پرداخت دلخواه plugin version through 2.9.8.
- networkThe attacker must be able to deliver a crafted HTTP request (e.g., via a link, image tag, or form) to the victim's browser.
Reproduction
The advisory does not provide explicit reproduction steps beyond stating that the plugin lacks a CSRF check when resetting its form fields [ref_id=1]. No standalone PoC code is included in the bundle.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/311e3c15-0f58-4f3b-91f8-0c62c0eea55e/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.