We recently found that the GoDaddy Email Marketing plugin had contained a cross-site request forgery (CSRF) vulnerability that could have caused all the data associate with the plugin to be deleted.
When the debug mode of the plugin is enabled the option to do a “cache reset” or a “hard reset” is made available. The “hard reset” would cause all of the data in the plugin to be deleted. As of version 1.1.2, a request for the URL /wp-admin/options-general.php?page=gem-settings&action=debug-reset would cause that to happen. As you can see, there is no nonce included in that URL, which is what is used to prevent CSRF in WordPress (there also was no check to make sure that a valid nonce was included before processing the request). Without that, if you could get a logged in administrator to visit that URL directly or cause them to send a request to that URL from a page you control, then all the data would be deleted.
Turning on the debug was properly protected against CSRF, so this was only exploitable if that was already enabled.
After we notified the developer they release two version of 1.1.3 of the plugin. The first version was intended to fix this, but was missing any changes. Version two of it included the fixes and version 1.1.4 was released right after that, so anyone with the first version of 1.1.3 will be prompted to upgrade to a fixed version.
Proof of Concept
The following proof of concept will cause the data associated with the plugin to be deleted, when logged in as an Administrator.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-admin/options-general.php?page=gem-settings&action=debug-reset
- 10/10/2016 – Contacted developer publicly to see how we could privately notify them of the issue.
- 10/19/2016 – Developer responds after another one of the plugins is pulled from the directory due to vulnerability we discovered.
- 10/19/2016 – We privately notified the developer of the issue.
- 10/19/2016 – First version of 1.1.3 released, which intended to fix vulnerability but was missing any changes.
- 10/26/2016 – Second version of 1.1.3 released, which fixes vulnerability.