Login
1 Apr 2022

Not Really a WordPress Plugin Vulnerability, Week of April 1

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Cross-Site Request Forgery (CSRF) in Curtain

The report for a claimed cross-site request forgery (CSRF) vulnerability in Curtain only includes a proof of concept and not the underlying code, which turns out to be important. While the proof of concept looks to produce the claimed result, changing the status of the plugin’s maintenance mode, in reality, all that is happening is that admin notice is shown that would normally run after the change already been made. The relevant code is the function admin_notices() in the file /main.php and makes not change to the maintenance mode setting:

177
178
179
180
181
182
183
184
185
186

if( isset( $_GET['mode'] ) ) {
 
	$mode = $_GET['mode'];
	$status = ( $mode ? __( 'activated', 'curtain' ) : __( 'deactivated', 'curtain' ) );
 
	echo '<div class="' . ( $mode ? 'updated' : 'error' ) . ' is-dismissible"><p>';
 
		printf( __( 'The Maintenance mode has been %s.', 'curtain' ), '<b>' . $status . '</b>' );
 
	echo '</p></div>';

Authenticated Cross-Site Scripting (XSS) in Donorbox

With a claimed authenticated stored cross-site scripting (XSS) vulnerability in Donorbox, the proof of concept starts with these steps:

1) Install donorbox-donation-form
<https://wordpress.org/plugins/amministrazione-aperta/> WordPress plugin
2)Open donorbox plugin settings

To access the plugin’s settings, the user has to be logged in as an Administrator:

50

add_options_page('Donorbox', 'Donorbox', 'administrator', __FILE__, array('Donorbox_donation_form','donorbox_display_options_page'));

If an attacker is logged in as an Administrator they can do basically whatever they want, so this really wouldn’t be a vulnerability.

No related posts.

Leave a Reply

Your email address will not be published.