Multiple WordPress plugins fixed CSRF vulnerabilities (part 3).

This is the third part of our “Multiple WordPress plugins fixed CSRF vulnerabilities” saga. If you missed the previous episodes, you can consult them here:
Multiple WordPress plugins fixed CSRF vulnerabilities (part 1).
Multiple WordPress plugins fixed CSRF vulnerabilities (part 2).

Vulnerable Plugins

1. Absolute Reviews
Vulnerable version: 1.0.8 and below
Vulnerable nonce: admin/class-absolute-reviews-admin.php#L645

if ( isset( $_POST['abr_review_meta'] ) && ! wp_verify_nonce( wp_unslash( $_POST['abr_review_meta'] ), 'abr_review_meta_nonce' ) ) { // Input var ok; sanitization ok.
   return;
}

If $_POST['abr_review_meta'] isn’t set, the nonce won’t be checked.


 

2. Advanced Popups
Vulnerable version: 1.1.1 and below
Vulnerable nonce: admin/class-advanced-popups-admin.php#L607

if ( isset( $_POST['adp_popup_meta'] ) && ! wp_verify_nonce( wp_unslash( $_POST['adp_popup_meta'] ), 'popup_meta_nonce' ) ) { // Input var ok; sanitization ok.
   return;
}

if $_POST['adp_popup_meta'] isn’t set, the nonce won’t be checked.


 

3. Remove Schema
Vulnerable version: 1.4 and below
Vulnerable nonce: admin/class-remove-schema-post-editor.php#L92

// security check
if ( isset($_POST['remove_schema_nonce']) && !wp_verify_nonce( $_POST['remove_schema_nonce'], plugin_basename( __FILE__ ) ) )
   return;

If $_POST['remove_schema_nonce'] isn’t set, the nonce won’t be checked.


 

4. Sunshine Photo Cart
Vulnerable version: 2.8.28 and below
Vulnerable nonce: admin/sunshine-products.php#L67

if ( ( isset( $_POST['_inline_edit'] ) && !wp_verify_nonce( $_POST['_inline_edit'], 'inlineeditnonce' ) ) ||
( isset( $_POST['sunshine_noncename'] ) && !wp_verify_nonce( $_POST['sunshine_noncename'], plugin_basename( __FILE__ ) ) ) ) {
   return;
}

If neither $_POST['_inline_edit'] nor $_POST['sunshine_noncename'] are set, the two nonces won’t be checked.


 

5. Ultimate Gift Cards For WooCommerce
Vulnerable version: 2.1.1 and below
Vulnerable nonce: admin/class-woocommerce-gift-cards-lite-admin.php#L471

if ( isset( $_POST['mwb_wgm_product_nonce_field'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['mwb_wgm_product_nonce_field'] ) ), 'mwb_wgm_lite_nonce' ) ) {
   return;
}

If $_POST['mwb_wgm_product_nonce_field'] isn’t set, the nonce won’t be checked.


 

6. wp-mpdf
Vulnerable version: 3.5.1 and below
Vulnerable nonce: wp-mpdf.php#L557

if ( isset( $_POST['wp_mpdf_noncename'] ) && ! wp_verify_nonce( $_POST['wp_mpdf_noncename'], plugin_basename( __FILE__ ) ) ) {
   return $post_id;
}

If $_POST['wp_mpdf_noncename'] isn’t set, the nonce won’t be checked.


 

7. Staff Directory Plugin
Vulnerable version: 3.6 and below
Vulnerable nonce: gold-framework/gold-plugins-custom-post-type.php#L312

if ( isset($_POST[ 'my-custom-fields_wpnonce' ]) && !wp_verify_nonce( $_POST[ 'my-custom-fields_wpnonce' ], 'my-custom-fields' ) ){
   return;
}

If $_POST[ 'my-custom-fields_wpnonce' ] isn’t set, the nonce won’t be checked.


 

8. DW Question & Answer
Vulnerable version: 1.5.7 and below (unfixed)
Vulnerable nonce: inc/Handle.php#L144

if ( !isset( $_POST['_wpnonce'] ) && !wp_verify_nonce( esc_html( $_POST['_wpnonce'] ), '_dwqa_edit_answer' ) ) {
   dwqa_add_notice( __( 'Hello, Are you cheating huh?', 'dw-question-answer' ), 'error' );
}

If $_POST['_wpnonce'] is set, it won’t be checked.


 

9. Contact Form 7 Style
Vulnerable version: 3.2 and below (unfixed)
Vulnerable nonce: cf7-style-meta-box.php#L553

// verify quick edit nonce
if ( isset( $_POST[ '_inline_edit' ] ) && ! wp_verify_nonce( sanitize_text_field( $_POST[ '_inline_edit' ] ), 'inlineeditnonce' ) )
   return $post_id;

If $_POST[ '_inline_edit' ] is not set, it won’t be checked.


 

Recommendations

Make sure to update to the latest version if you are running any of the above-mentioned plugins. If you had some of the vulnerable plugins installed on your blog and were using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you have already been informed about those issues by email.

Stay informed about the latest vulnerabilities