30 Nov

Vulnerability Details: Cross-Site Request Forgery (CSRF) in Wp-D3

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in the plugin.

A cross-site request forgery (CSRF) vulnerability in the plugin Wp-D3 was discovered by Klikki Oy, but they didn’t provide any details on what exactly the vulnerability was connected to. Looking at the changes made in the version that was supposed to have included the fix, 2.4.1, it is easy to spot what that was.

In the file /utils.php there are five functions made accessible through WordPress’s AJAX functionality and in version 2.4.1 code was added to each of those to check for a valid nonce before running the rest of the function’s code, which would prevent CSRF. One of those is shown below:

$nonceValid = check_ajax_referer('wpd3-nonce', 'security'); 
if (!$nonceValid) { 
	wp_send_json_error(); 
}

Without that CSRF protection if an attacker could have  gotten a logged in user to visit a URL they specified the function previewContent() could be used to cause reflected cross-site (XSS), deleteCustomField() could be used to pass values specified by the attack to delete_post_meta(), and setCustomField() could be used to pass values specified by the attacker to function  add_post_meta().

Proof of Concept

The following proof of concept URL will cause any available cookies to shown in alert box when logged in to WordPress. Major web browsers other than Firefox provide XSS filtering so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=previewContent&postId=1&editor=%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

Leave a Reply

Your email address will not be published. Required fields are marked *