Software: WordPress WHIZZ Version: <1.1.1 Homepage: https://wordpress.org/plugins/whizz/ Description ================ Get type CSRF in WordPress WHIZZ allows attackers to delete any wordpress users and change plugins status POC: ======== include in the page ,then attack will occur: delete user:

active or disactive plugins:

Mitigations ================ Disable the plugin until a new version is released that fixes this bug. FIX: ========== https://wordpress.org/plugins/whizz/ 1.1.1 changelog->Specifically Best regards, Zhiyang Zeng of Tencent security platform department