Login

Tag Archives: Cross-Site Request Forgery (CSRF)/Settings Change

2 Mar 2022

WordPress Plugin Claimed to Contain “Critical 0-day Vulnerability” Contains at Least Authenticated Settings Change Vulnerability

On February 15, a topic was started on the wordpress.org support forum for the WordPres plugin Photonic with the title “Critical 0-day vulnerability in the Photonic Plugin v 2.75“. That was subsequently deleted by a moderator, but nothing was done with the plugin on WordPress’ plugin directory. It is still available for download and has not been updated. While we can’t say if the claim made in the title is true since the details of the claim are not available, we easily found that the plugin is lacking basic security and contains at least an authenticated settings change vulnerability. We would recommend not using the plugin unless it has had a thorough security review done and all the issues found are addressed.

The plugin registers the function save_token_in_options() to be accessible by anyone logged in to WordPress: [Read more]

3 Feb 2022

WP Google Map Still Contains CRSF/Settings Change Vulnerability After Multiple Security Updates

The WordPress plugin WP Google Map, which has 20,000+ installs, recently came on to our radar due to obfuscated code in the plugin. That code has now been removed, but when we went to check on that, we noticed the plugin had a vulnerability right below the code containing the obfuscation. What makes that stand out more is that is still there after multiple security updates to the plugin. Here are the most recent changelog entries for the plugin, with only one of those versions, 1.8.2, not referencing a security change being made:

1.8.5

  • Code Optimization
  • Security enhancement

1.8.4

  • CSRF issue fixing
  • Tabs UI update
  • Marker Icon preview issue fixing
  • DB query and code optimized

1.8.3

  • Ajax Security issues resolved
  • Marker Edit page minor bug fixing

1.8.2

  • Clickable marker infowindow introduced.

1.8.1

  • Hot fix: Security issue fixed.

1.8.0

  • Multiple Marker system introduced.
  • Complete Admin UI updated for a better experience.
  • Datatable introduced for Map and Marker listing.
  • Added advanced option for API load restriction, prevent other map API loading with user consent.
  • Support page modified for better support.
  • Marker Description and Image attachment support implemented.
  • Security improvement.

1.7.7

  • Minor bug fixing
  • Autoloader class implemented
  • Map control options added(disable zoom, disable street view option, disable drag, disable double click zoom, disable pan control)
  • Security improvement
  • Appsero SDK implement for prompt support to users

Cross-Site Request Forgery/Settings Change

The plugin registers a settings page to be accessible to Administrators with the following code: [Read more]

7 Dec 2021

Cross-Site Request Forgery (CRSF)/Settings Change Vulnerability in PublishPress Capabilities

Based on the level of insecurity we found while looking in to the details of a serious vulnerability being fixed in version 2.3.1 of the WordPress plugin PublishPress Capabilities, we started checking for other security issues and we quickly found another vulnerability. The plugin doesn’t check for a valid nonce when making changes on the plugin’s Admin Features page.

What makes that vulnerability more concerning is the vulnerable feature was only introduced inversion 2.3 of the plugin: [Read more]

3 Dec 2021

Closed WordPress Plugin With 40,000+ Installs Contains CSRF/XSS Vulnerability

Yesterday, the WordPress plugin WP Extra File Types was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our service about if they are using the plugin. What we found was that it contains a cross-site request forgery (CSRF) vulnerability that can be used to change the plugin’s setting and add malicious JavaScript code to those, which is cross-site scripting (XSS).

The plugin registers a settings page for itself, which calls the function admin_page(): [Read more]

11 Nov 2021

CSRF/Settings Change Vulnerability in Visitor Traffic Real Time Statistics

A recent thread on the WordPress Support Forum claims the WordPess plugin Visitor Traffic Real Time Statistics led to a website being hacked. The claim isn’t backed up with any evidence to support it and claims like that are often incorrect, but we wanted to quickly check over the plugin to make sure there wasn’t an obvious issue that could cause that currently exists in the plugin. What we immediately found was that the plugin isn’t properly secured, and it contains a minor vulnerability. Making the insecurity stand out more is that at the end of September, the developer claimed to have addressed the type of vulnerability we found, but hadn’t even made changes that should address it.

There appear to be other security issues in the plugin as well, so we would recommend not using the plugin unless the developer can show that they are able to properly secure the plugin. [Read more]

21 Sep 2021

Gutenberg Blocks Plugin with 40,000+ Installs Contains Multiple Vulnerabilities

The WordPress plugin Getwid, which contains “a collection of 40+ Gutenberg blocks”, was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 40,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains at least an authenticated information disclosure vulnerability and cross-site request forgery (CSRF)/settings change vulnerability. Both of those involve an Instagram access token.

Authenticated Information Disclosure

The plugin registers the function get_instagram_token() to be accessible to anyone logged in to WordPress through its AJAX functionality: [Read more]

27 Aug 2021

Hackers Certainly Could Be Interested in Exploiting this Vulnerability in the Simple eCommerce WordPress Plugin

Earlier this week had what looked to be a hacker probing for usage of the WordPress plugin Simple eCommerce on our website with this request:

/wp-content/plugins/simple-e-commerce-shopping-cart/readme.txt [Read more]

11 Oct 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Settings Change in Page Animations And Transitions

One of the change log entries for the latest version of the plugin Page Animations And Transitions is “Form Security Improved.” Looking at the changes made in that version that may refer to adding protection against cross-site request forgery (CSRF) when handling the changing of the plugin’s settings.

[Read more]