WordPress Plugin Vulnerabilities

Widget Logic < 5.10.2 - CSRF to RCE

Description

Widget Logic provides a comfortable way to dynamically toggle widget visibility with custom PHP code. By eval'ing the logic registered for each widget, the plugin determines if it should be shown or not. Due to a nested CSRF vulnerability, attackers are able to make administrators add malicious code to custom sidebar widgets registered with wp_register_sidebar_widget. This results in a Remote Code Execution.

Detailed analysis: https://dannewitz.ninja/posts/widget-logic-csrf-to-rce
Fixed in version 5.10.2: https://plugins.trac.wordpress.org/changeset/2112753/widget-logic

Affects Plugins

Plugin icon
widget-logic
Fixed in 5.10.2

References

CVE
CVE-2019-12826
URL
https://dannewitz.ninja/posts/widget-logic-csrf-to-rce
URL
https://plugins.trac.wordpress.org/changeset/2112753/widget-logic

Miscellaneous

Original Researcher
Paul Dannewitz
Submitter
Paul Dannewitz
Submitter website
https://dannewitz.ninja
Submitter twitter
padannewitz
Verified
No
WPVDB ID
db48c6ef-1250-45ed-b755-6e3c394c7fa3

Timeline

Publicly Published
2019-06-28 (about 6 years ago)
Added
2019-06-28 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2015-08-10
Title
Email Subscribers & Newsletters < 2.9.1 - Multiple XSS & SQLi
Published
2020-03-24
Title
Data Tables Generator By Supsystic < 1.9.92 - CSRF to Stored XSS, Data Table Creations, Settings Modification
Published
2016-06-20
Title
Jetpack <= 4.0.3 - Multiple Vulnerabilities
Published
2014-11-05
Title
BulletProof Security <= .51 - Multiple Vulnerabilities (XSS & SSRF)
Published
2014-08-01
Title
RokStories <= 1.25 - XSS,DoS,Disclosure,Upload Vulnerabilities