ThirstyAffiliates [Multiple Vulnerabilities]
IMPORTANT Some if not all of those issues were reported to plugin author by James Golovich as stated in plugin changelog v2.6.2. I asked further clarification from James so content of this report might get updated as soon as I have it.
Multiple vulnerabilities were found in ThirstyAffiliates plugin. The root cause is lack of capabilities and anti-csrf token checks in AJAX hooks registered by this plugin.
A registered user account is required to exploit those vulnerabilities because all actions are privileged. No specific capabilities are required though.
Vulnerable AJAX hooks are:
1 and 2 are import and export plugin options so they should be available only to users with administrative rights.
All other actions are relative to listing, creating and changing
specific links. Plugin author added the requirement for
capability to perform those action on v2.6.2 which is supposed to patch
those issues. Even though CSRF attacks are still possible for most of
those action because no prevention mechanism is implemented when
Use the following URL to create arbitrary links:
The form displayed in the above link is actually use the
AJAX action to create links.
The following form will upload an image from
and attached it to post with ID 1.
<form action="http://sbwp1.dev/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="thirstyUploadImageFromUrl" /> <input type="hidden" name="imgUrl" value="http://dansilivestru.github.io/phonegap-day-slides/images/pwnage.png" /> <input type="hidden" name="postId" value="1" /> <input type="submit" value="Click Me" /> </form>
Capabilities checks were implemented on v2.6.2 but CSRF vulnerabilities still exists.