WordPress Plugin Vulnerabilities
Redux Framework < 4.1.21 - CSRF Nonce Validation Bypass
Description
The plugin did not properly validate some nonces, only checking them if their value was set. As a result, CSRF attacks could still be performed by not submitting the nonce in the request, bypassing the protection they are supposed to provide.
Proof of Concept
Just don't send the parameters: $_POST['nonce'] or $_REQUEST['nonce']
=================================
File: redux-core/inc/classes/class-redux-admin-notices.php
if ( isset( $_POST['nonce'] ) && ! wp_verify_nonce( sanitize_key( wp_unslash( $_POST['nonce'] ) ), $id . $userid . 'nonce' ) ) {
die( 0 );
}
=================================
File: redux-core/inc/classes/class-redux-ajax-save.php
Content:
if ( isset( $_REQUEST['nonce'] ) && ! wp_verify_nonce( sanitize_key( wp_unslash( $_REQUEST['nonce'] ) ), 'redux_ajax_nonce' . $this->args['opt_name'] ) ) {
echo wp_json_encode(...
die();
} Affects Plugins
Fixed in version 4.1.21
References
Classification
Miscellaneous
Original Researcher
Lenon Leite - DevSoftIn
Submitter
Lenon Leite
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2020-12-15 (about 2 years ago)
Added
2020-12-15 (about 2 years ago)
Last Updated
2020-12-16 (about 2 years ago)