This is the fifth part of our “Multiple WordPress plugins fixed CSRF vulnerabilities” saga. If you missed the previous episodes, you can click on the links below:
Multiple WordPress plugins fixed CSRF vulnerabilities (part 1).
Multiple WordPress plugins fixed CSRF vulnerabilities (part 2).
Multiple WordPress plugins fixed CSRF vulnerabilities (part 3).
Multiple WordPress plugins fixed CSRF vulnerabilities (part 4).
Vulnerable Plugins
1. Rucy
Vulnerable version: 0.4.4 and below (plugin closed)
Vulnerable nonce: inc/class-rucy-editor.php#L242
if(isset( $_POST['schroeder'] ) && !wp_verify_nonce( $_POST['schroeder'], plugin_basename( __FILE__ ) ) ) {
return;
}
If $_POST['schroeder'] isn’t set, the nonce won’t be checked.
2. WP-Backgrounds Lite
Vulnerable version: 2.3 and below (plugin closed)
Vulnerable nonce: inoplugs_background_plugin.php#L183
// verify nonce
if (isset($_POST['ino_meta_box_nonce']) && !wp_verify_nonce($_POST['ino_meta_box_nonce'], basename(__FILE__))) {
return $post_id;
}
if $_POST['ino_meta_box_nonce'] isn’t set, the nonce won’t be checked.
3. WP Security Question
Vulnerable version: 1.0.5 and below (plugin closed)
Vulnerable nonce: modules/settings/model.settings.php#L36
if ( isset( $_REQUEST['_wpnonce'] ) ) {
$nonce = sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ); }
if ( isset( $nonce ) and ! wp_verify_nonce( $nonce, 'wpgmp-nonce' ) ) {
die( 'Cheating...' );
}
If $_REQUEST['_wpnonce'] isn’t set, the nonce won’t be checked.
4. Event Espresso 4 Decaf – Event Registration Event Ticketing
Vulnerable version: 4.10.11.decaf and below (plugin closed)
Vulnerable nonce: core/domain/services/pue/Stats.php#L194
// verify nonce
if (isset($_POST['nonce']) && ! wp_verify_nonce($_POST['nonce'], 'ee-data-optin')) {
exit();
}
If $_POST['nonce'] isn’t set, the nonce won’t be checked.
5. WordPress Photo Gallery – Image Gallery
Vulnerable version: 1.0.6 and below (plugin closed)
Vulnerable nonce #1: includes/view/ajax-function.php#L562
if (!isset($_POST['galleryImgThumbnailLoadNonce']) && !wp_verify_nonce($_POST['galleryImgThumbnailLoadNonce'], 'gallery_img_thumbnail_load_nonce')) {
wp_die('Security check fail');
}
If $_POST['galleryImgThumbnailLoadNonce'] is set, the nonce won’t be checked.
Vulnerable nonce #2: includes/admin/admin-page-galleries.php#L107
if (isset($_REQUEST['gallery_nonce_remove_image']) && !wp_verify_nonce($_REQUEST['gallery_nonce_remove_image'], 'gallery_nonce_remove_image' . $idfordelete)) {
wp_die('Security check fail edit');
}
If $_REQUEST['gallery_nonce_remove_image'] isn’t set, the nonce won’t be checked.
6. Opal Estate
Vulnerable version: 1.6.11 and below (plugin closed)
Vulnerable nonce #1: inc/ajax-functions.php#L183
if ( ! isset( $_REQUEST['nonce'] ) && ! wp_verify_nonce( $_REQUEST['nonce'], 'nonce' ) ) return;
If $_REQUEST['nonce'] is set, the nonce won’t be checked.
Vulnerable nonce #2: inc/ajax-functions.php#L195
if ( ! isset( $_REQUEST['nonce'] ) && ! wp_verify_nonce( $_REQUEST['nonce'], 'nonce' ) ) return;
Same as above.
7. Sync to Etsy Marketplace from WooCommerce
Vulnerable version: 3.3.1 and below (plugin closed)
Vulnerable nonce: etsy-export-feed-manage.php#L737
if ( ! isset( $_GET['ETCPF_security'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['ETCPF_security'] ) ), 'delete_feed' ) ) {
if ( ! current_user_can( 'editor' ) || ! current_user_can( 'administrator' ) ) {
return false;
}
}
If $_GET['ETCPF_security'] is set, the nonce won’t be checked (and the 2 capability checks will be bypassed as well).
8. RAYS Grid
Vulnerable version: 1.2.2 and below (plugin closed)
Vulnerable nonce: includes/class-db.php#L132
if ( isset( $_POST['rsgd_nonce_fields'] ) && ! wp_verify_nonce( $_POST['rsgd_nonce_fields'], 'rsgd_nonce_fields' ) && !current_user_can( 'edit_others_posts' ) ) { return; }
If $_POST['rsgd_nonce_fields'] isn’t set, the nonce won’t be checked (and the capability check will be bypassed as well).
9. Sell Media
Vulnerable version: 2.5.5 and below (plugin closed)
Vulnerable nonce: inc/gateways/class-sm-gateway-paypal-request.php#L85
//check_ajax_referer( 'sell_media_paypal_nonce', 'nonce_security' );
if (isset($_POST['_nonce']) && !wp_verify_nonce($_POST['_nonce'], 'sell_media_paypal_nonce')) {
$_send_data['status'] = false;
wp_send_json($_send_data);
die();
}
If $_POST['_nonce'] isn’t set, the nonce won’t be checked.
Stay informed about the latest vulnerabilities
- Running WordPress? You can get email notifications about vulnerabilities in the plugins or themes installed on your blog.
- On Twitter: @nintechnet