While looking into the details of a reflected cross-site scripting (XSS) vulnerability in the plugin Duplicate Page we noticed that there was no protection against cross-site request forgery (CSRF) when using the plugin’s functionality, duplicating a post or page.
As of version 2.3 the URLs for the duplication looks like this:
If there was protection against CSRF there would be a nonce included in that.
We notified the developer of the issue through their website on October 4 and through the email address listed on the plugin’s page on wordpress.org on October 13. We have yet to hear back from them and a new version has not been released. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.
Proof of Concept
The following proof of concept will duplicate the POST with ID number 1, when logged in to WordPress.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-admin/admin.php?action=dt_duplicate_post_as_draft&post=1
- October 4, 2017 – Developer notified.
- October 13, 2017 – Developer notified.