WordPress Plugin Vulnerabilities

ByREV WP-PICShield - Cross-Site Request Forgery (CSRF)

Description

The ByREV WP-PICShield WordPress plugin is vulnerable to CSRF.

When updating the plugin options, several parameters in the issued POST request are written directly to the .htaccess file within the WordPress root directory. An attacker may be able to insert arbitrary lines into the .htaccess file, reconfiguring it to redirect to another website or other malicious actions.

While all plugin options can be updated by an attacker via CSRF, the following parameter values are directly inserted into .htaccess:
byhln[gtfo_key]
byhln[images_extension]
byhln[allowed_domains]
byhln[allowed_user_agents]
byhln[allowed_remote_ip]

The attached PoC demonstrates a CSRF payload which rewrites the victim's .htaccess file to redirect to an attacker-controlled website.

Proof of Concept

Affects Plugins

Plugin icon
byrev-wp-picshield-hotlink-defence
No known fix

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Submitter
Zachary Julian
Submitter website
http://www.zjulian.com/
Submitter twitter
@tprime_
Verified
No
WPVDB ID
0fa7e1d3-3142-4c95-a7b1-a0a84029fdae

Timeline

Publicly Published
2017-01-04 (about 9 years ago)
Added
2017-02-22 (about 9 years ago)
Last Updated
2019-08-05 (about 6 years ago)

Other

Published
Title
Published
2025-05-07
Title
Awin – Advertiser Tracking for WooCommerce < 2.0.1 - Product Feed Generation via CSRF
Published
2024-02-09
Title
WP Contact Form <= 1.6 - Cross-Site Request Forgery via wpcf_adminpage
Published
2019-06-12
Title
Contest Gallery <= 10.4.4 - Cross-Site Request Forgery (CSRF)
Published
2024-07-04
Title
Rara Business < 1.2.6 - Cross-Site Request Forgery to Notice Dismissal
Published
2024-04-10
Title
Simple Post Notes < 1.7.7 - Cross-Site Request Forgery