WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Contextual Related Posts < 2.9.4 - CSRF Nonce Validation Bypass

Description

The plugin does not properly check for the CSRF nonce in the export and import features, which could allow attackers to make authenticated logged in administrators perform those actions via a CSRF attack.

Proof of Concept

To bypass the nonce validation, just don't send the crp_export_settings_nonce or crp_import_settings_nonce  parameter.

File: contextual-related-posts/includes/admin/modules/tools.php

Code: 
if ( isset( $_POST['crp_export_settings_nonce'] ) && ! wp_verify_nonce( sanitize_key( $_POST['crp_export_settings_nonce'] ), 'crp_export_settings_nonce' ) ) {
    return;
}

if ( isset( $_POST['crp_import_settings_nonce'] ) && ! wp_verify_nonce( sanitize_key( $_POST['crp_import_settings_nonce'] ), 'crp_import_settings_nonce' ) ) {
    return;
}

Affects Plugins

contextual-related-posts
Fixed in version 2.9.4

References

URL
https://plugins.trac.wordpress.org/changeset/2387037/contextual-related-posts/trunk/includes/admin/modules/tools.php
URL
https://lenonleite.com.br/en/2020/09/19/explorando-vulnerabilidade-em-operadores-logicos-isset-algumacoisa/

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

Lenon Leite

Submitter

Lenon Leite

Submitter website
https://lenonleite.com.br/
Submitter twitter
lenonleite
Verified

Yes

WPVDB ID
737e8d03-aa44-4903-a82d-6da94962aa0a

Timeline

Publicly Published

2020-11-19 (about 2 years ago)

Added

2020-11-19 (about 2 years ago)

Last Updated

2020-11-20 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin