21 Nov

False Vulnerability Report: Cross Site Request Forgery / Cross Site Scripting in MailChimp for WordPress 4.0.7

As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them. The data on these false reports is also included in our service’s data.

There seem to be a variety of causes for false reports of vulnerabilities in WordPress plugins, including lack of proper testing of possible vulnerabilities, intentional false reports, and what seems to be the cause of lot of them, the reporter not really understanding what the vulnerability would actually involve. No matter how obvious it is that they are false, these reports often get presented along side legitimate reports, that includes in WordPress security plugins, as we were just discussing when it comes to one plugin earlier today.

The false report of a claimed cross-site request forgery (CSRF)/cross-site scripting vulnerability in MailChimp for WordPress version 4.0.7 looks to fall in the category of the reporter not knowing what the vulnerability would actually involve.

To protect against cross-site request forgery in WordPress a nonce is used. So if a relevant request can be made without a nonce being provided in the request or with out a valid nonce, there is a vulnerability. Here is the beginning of the proof of concept for the claimed vulnerability:

<form action="http://localhost/wp/wp-admin/admin.php?page=mailchimp-for-wp-forms&view=edit-form&form_id=60" method="POST">

Title:<input type="text" name="mc4wp_form[name]" size="30" value="For Testing" id="title" spellcheck="true" autocomplete="off" placeholder="Enter the title of your sign-up form" style="line-height: initial;" >
<input type="submit" style="display: none; " />
<input type="hidden" name="_mc4wp_action" value="edit_form" />
<input type="hidden" name="mc4wp_form_id" value="60" />
<input type="hidden" id="_mc4wp_nonce" name="_mc4wp_nonce" value="ad1a3e81af" />

The lasts line is the nonce and it looks like a valid one (as opposed to a placeholder, if the plugin’s code didn’t actual check to see if the nonce value is valid). A valid value only works with the particular website and user, so a proof of concept showing that indicates that the person behind the report doesn’t understand this type of vulnerability when it comes to WordPress. Just to be sure we checked and found that when submitting the request that is supposed to be vulnerable, with either no nonce or and invalid one the plugin properly recognizes the situation and does not permit the request. Therefore there is no vulnerability.

Leave a Reply

Your email address will not be published. Required fields are marked *