Back in September 2020, we discovered 33 WordPress plugins and themes vulnerable to cross-site request forgery (CSRF) attacks. Twenty-nine has been fixed so far (see here and there).
Earlier this month we decided to check again for similar issues and eventually we found more vulnerable plugins than we did last September. As it will likely take some times before they all get patched, we’ll disclose the fixed ones in batches of 10 to 15 plugins. Here’s the first one:
Vulnerable Plugins
1. Post SMTP Mailer/Email Log
Vulnerable version: 2.0.20 and below.
Vulnerable nonce: Postman/Postman-Email-Log/PostmanEmailLogController.php#L79
if ( isset( $_REQUEST['post-smtp-log-nonce'] ) && ! wp_verify_nonce( $_REQUEST['post-smtp-log-nonce'], 'post-smtp' ) ) die( 'Security check' );
If $_REQUEST['post-smtp-log-nonce'] isn’t set, the nonce won’t be checked
2. Forminator
Vulnerable version: 1.14.8 and below.
Vulnerable nonce #1: library/modules/quizzes/front/front-render.php#L1337
if ( isset( $_REQUEST['nonce'] ) && ! wp_verify_nonce( $_REQUEST['nonce'], 'forminator_submit_form' ) ) {
wp_send_json_error( new WP_Error( 'invalid_code' ) );
}
If $_REQUEST['nonce'] isn’t set, the nonce won’t be checked.
Vulnerable nonce #2: library/modules/custom-forms/front/front-action.php#L1499
if ( isset( $post_data['nonce'] ) && ! wp_verify_nonce( $post_data['nonce'], 'forminator_submit_form' ) ) {
wp_send_json_error( new WP_Error( 'invalid_code' ) );
}
If $post_data['nonce'] isn’t set, the nonce won’t be checked.
3. Dokan
Vulnerable version: 3.2.0 and below.
Vulnerable nonce #1: includes/Ajax.php#L421
if ( isset( $_POST['dokan_security_nonce'] ) && ! wp_verify_nonce( sanitize_key( $_POST['dokan_security_nonce'] ), 'dokan_security_action' ) ) {
die( -1 );
}
If $_POST['dokan_security_nonce'] isn’t set, the nonce won’t be checked.
Vulnerable nonce #2: includes/Admin/UserProfile.php#L541
if ( isset( $post_data['dokan_update_user_profile_info_nonce'] ) && ! wp_verify_nonce( $post_data['dokan_update_user_profile_info_nonce'], 'dokan_update_user_profile_info' ) ) {
return;
}
If $post_data['dokan_update_user_profile_info_nonce'] isn’t set, the nonce won’t be checked.
4. Defender Security
Vulnerable version: 2.4.6 and below.
Vulnerable nonce: src/controller/two-factor.php#L208
if ( isset( $_POST['_wpnonce'] ) && ! wp_verify_nonce( $_POST['_wpnonce'], 'verify_otp' ) ) {
return;
}
If $_POST['_wpnonce'] isn’t set, the nonce won’t be checked.
5. Abandoned Cart Lite for WooCommerce
Vulnerable version: 5.8.5 and below.
Vulnerable nonce #1: woocommerce-ac.php#L412
if ( isset( $_REQUEST['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ), 'woocommerce-abandoned-cart' ) ) {
die( 'Security check' );
}
If $_REQUEST['_wpnonce'] isn’t set, the nonce won’t be checked.
Vulnerable nonce #2: woocommerce-ac.php#L449
if ( isset( $_REQUEST['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ), 'woocommerce-abandoned-cart' ) ) {
die( 'Security check' );
}
Same as above.
6. Style Kits
Vulnerable version: 1.8.0 and below.
Vulnerable nonce: inc/class-quick-edit.php#L163
if ( isset( $_POST['ang_sk_update_nonce'] ) && ! wp_verify_nonce( $_POST['ang_sk_update_nonce'], plugin_basename( __FILE__ ) ) ) { // phpcs:ignore
return;
}
If $_POST['ang_sk_update_nonce'] isn’t set, the nonce won’t be checked.
7. WP ERP
Vulnerable version: 1.7.4 and below.
Vulnerable nonce: modules/hrm/includes/class-form-handler.php#L1227
if ( isset( $_POST['_wpnonce'] ) && ! wp_verify_nonce( sanitize_key( $_POST['_wpnonce'] ), 'erp-settings-nonce' ) ) {
die( 'Nonce failed.' );
}
If $_POST['_wpnonce'] isn’t set, the nonce won’t be checked.
8. eCommerce Product Catalog
Vulnerable version: 3.0.17 and below.
Vulnerable nonce: modules/cart/includes/orders/includes/register-digital-orders.php#L398
$order_summary_meta_noncename = isset( $_POST[ 'order_summary_meta_noncename' ] ) ? $_POST[ 'order_summary_meta_noncename' ] : '';
if ( !empty( $order_summary_meta_noncename ) && !wp_verify_nonce( $order_summary_meta_noncename, plugin_basename( __FILE__ ) ) ) {
return $post->ID;
}
If $_POST['order_summary_meta_noncename'] is empty or not set, the nonce won’t be checked.
9. WP Project Manager
Vulnerable version: 2.4.9 and below.
Vulnerable nonce: core/Promotions/Offers.php#L137
if ( isset( $_POST['nonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'pm_dismiss_offer' ) ) {
wp_send_json_error( __( 'Invalid nonce', 'wedevs-project-manager' ) );
}
If $_POST['nonce'] isn’t set, the nonce won’t be checked.
10. WP Private Content Plus
Vulnerable version: 3.1 and below.
Vulnerable nonce: classes/class-wppcp-groups.php#L188
$nonce = isset($_POST['wppcp_backend_group_add_new_member_nonce']) ?
sanitize_text_field($_POST['wppcp_backend_group_add_new_member_nonce']) : '';
if ( isset($_POST['wppcp_backend_group_add_new_member_nonce']) && ! wp_verify_nonce( $nonce, 'wppcp-backend-group-add-new-member-nonce' ) ) {
return;
}
If $_POST['wppcp_backend_group_add_new_member_nonce'] isn’t set, the nonce won’t be checked.
11. Better Search
Vulnerable version: 2.5.2 and below.
Vulnerable nonce #1: includes/admin/tools.php#L223
if ( isset( $_POST['bsearch_export_settings_nonce'] ) && ! wp_verify_nonce( sanitize_key( $_POST['bsearch_export_settings_nonce'] ), 'bsearch_export_settings_nonce' ) ) {
return;
}
If $_POST['bsearch_export_settings_nonce'] isn’t set, the nonce won’t be checked.
Vulnerable nonce #2: includes/admin/tools.php#L257
if ( isset( $_POST['bsearch_import_settings_nonce'] ) && ! wp_verify_nonce( sanitize_key( $_POST['bsearch_import_settings_nonce'] ), 'bsearch_import_settings_nonce' ) ) {
return;
}
If $_POST['bsearch_import_settings_nonce'] isn’t set, the nonce won’t be checked.
12. Custom Banners
Vulnerable version: 3.2.2 and below.
Vulnerable nonce: gold-framework/gold-plugins-custom-post-type.php#L191
// exit if nonce is not present or invalid
if ( empty($_POST[ 'my-custom-fields_wpnonce' ])
|| ! wp_verify_nonce( $_POST[ 'my-custom-fields_wpnonce' ], 'my-custom-fields' ) ) {
return;
}
If $_POST[ 'my-custom-fields_wpnonce' ] isn’t set, the nonce won’t be checked.
13. ElasticPress
Vulnerable version: 3.5.3 and below.
Vulnerable nonce: includes/classes/Feature/Autosuggest/Autosuggest.php#L640
if ( ! empty( $_REQUEST['ep_epio_nonce'] ) && ! wp_verify_nonce( $_REQUEST['ep_epio_nonce'], 'ep-epio-set-autosuggest' ) ) {
return;
}
If $_REQUEST['ep_epio_nonce'] is empty or not set, the nonce won’t be checked.
14. WP Travel
Vulnerable version: 4.4.6 and below.
Vulnerable nonce: inc/admin/class-admin-metaboxes.php#L431
if ( isset( $_POST['wp_travel_save_data'] ) && ! wp_verify_nonce( $_POST['wp_travel_save_data'], 'wp_travel_save_data_process' ) ) {
return;
}
If $_POST['wp_travel_save_data'] isn’t set, the nonce won’t be checked.
15. Process Steps Template Designer
Vulnerable version: 1.2.1 and below.
Vulnerable nonce: icons-selector/font-awesome-field.php#L215
if ( isset( $_POST['fa_field_icon_nonce'] ) && ! wp_verify_nonce( $_POST['fa_field_icon_nonce'], 'fa_field_icon' ) ) {
return;
}
If $_POST['fa_field_icon_nonce'] isn’t set, the nonce won’t be checked.
Recommendations
Make sure to update to the latest version if you are running any of the above-mentioned plugins. If you had some of the vulnerable plugins installed on your blog and were using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you have already been informed about those issues by email.
Timeline
All vulnerabilities were reported to the WordPress.org Plugin Team between February 12 and 15, 2021.
Stay informed about the latest vulnerabilities
- Running WordPress? You can get email notifications about vulnerabilities in the plugins or themes installed on your blog.
- On Twitter: @nintechnet