01 Jun

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Companion Auto Update

We recently found that the plugin Companion Auto Update contained a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability with the plugin’s settings.

The CSRF portion is caused by a lack of a nonce being included with a request to change the plugin’s settings and a lack of check that valid one is included when doing the saving.

For the XSS portion, when the setting were saved the “Email address” input was not sanitized (in the file /companion-auto-update.php):

$email 			= $_POST['cau_email'];
$wpdb-<query( " UPDATE $table_name SET onoroff = '$email' WHERE name = 'email' " );

When it was output on the settings page it wasn’t escaped either:

if( $cau_configs[4]->onoroff == '' ) $toemail = get_option('admin_email'); 
else $toemail = $cau_configs[4]->onoroff;
<input type="text" name="cau_email" id="cau_email" class="regular-text" placeholder="<?php echo get_option('admin_email'); ?>" value="<?php echo $toemail; ?>" />

After we notified the developer the released version 2.9.4, which fixes the XSS portion by sanitizing the input using sanitize_email():

$email          = sanitize_email( $_POST['cau_email'] );

The CSRF portion still exists at this time.

Update 2/15/2018: Version 3.0.2 of the plugin has resolved the CSRF portion of the vulnerability.

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the page /wp-admin/tools.php?page=cau-settings, when submitted as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/tools.php?page=cau-settings" method="POST">
<input type="hidden" name="cau_email" value='"</textarea><script>alert(document.cookie);</script>'>
<input type="submit" name="submit" value="Save Changes" />


  • May 30, 2017 – Developer notified.
  • May 31, 2017 – Version 2.9.4 released, which fixes CSRF/XSS vulnerability. CSRF portion still exists.
  • February 10, 2018 – Version 3.0.2 released, which fixes CSRF portion of vulnerability.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *