More WordPress plugins and themes vulnerable to CSRF attacks.

Last revision: November 16, 2020

This is an addendum to our previous post 25 WordPress plugins vulnerable to CSRF attacks. As we have reported additional WordPress plugins and themes that were vulnerable to CSRF attacks, we’ll update this post when they will be fixed by their respective authors.

Vulnerable Plugins

1. Ocean Extra (600,000+ installations).
Vulnerable version: 1.6.5 and below.
Vulnerable nonces: includes/panel/updater.php L247, L564, L637 and L934:

247   if (!current_user_can('manage_options') ||(isset($_REQUEST['_wpnonce'])&& !wp_verify_nonce($_REQUEST['_wpnonce'], 'oceanwp_options-options')))
248	   return;
...
...
564   if (!current_user_can('manage_options') || (isset($_REQUEST['_wpnonce'])&&!wp_verify_nonce($_REQUEST['_wpnonce'], 'oceanwp_options-options')))
565	   return;
..
..
637   if (!current_user_can('manage_options') || (isset($_REQUEST['_wpnonce'])&&!wp_verify_nonce($_REQUEST['_wpnonce'], 'oceanwp_options-options')))
638	   return;
...
...
934   if (!current_user_can('manage_options') || (isset($_REQUEST['_wpnonce'])&&!wp_verify_nonce($_REQUEST['_wpnonce'], 'changelog_link_nonce')))
935	   return;

If $_REQUEST['_wpnonce'] is not set, it won’t be checked.


2. EWWW Image Optimizer (800,000+ installations).
Vulnerable version: 5.8.1 and below.
Vulnerable nonces: classes/class-ewww-nextgen.php L858:

if ( empty( $_REQUEST['ewww_wpnonce'] ) && ! wp_verify_nonce( sanitize_key( $_REQUEST['ewww_wpnonce'] ), 'ewww-image-optimizer-bulk' ) || ! current_user_can( $permissions ) ) {
   $output['error'] = esc_html__( 'Access denied.', 'ewww-image-optimizer' );
   ewwwio_ob_clean();
   wp_die( wp_json_encode( $output ) );
}

If $_REQUEST['ewww_wpnonce'] is not empty, it won’t be checked.


Vulnerable Themes

1. Customizr (70,000+ installations).
Vulnerable version: 4.3.0 and below.
Vulnerable nonces: core/czr-admin-ccat.php L1764, L1792, L2345 and L2559:

1763   // verify this came from our screen and with proper authorization,
1764   if ( isset( $_POST['post_layout_noncename']) && !wp_verify_nonce( $_POST['post_layout_noncename'], plugin_basename( __FILE__ ) ) )
1765      return;
...
...
1791   // verify this came from our screen and with proper authorization,
1792   if ( isset( $_POST['post_slider_noncename']) && !wp_verify_nonce( $_POST['post_slider_noncename'], plugin_basename( __FILE__ ) ) )
1793      return;
...
...
2342   // verify this came from our screen and with proper authorization,
2343   // because save_post can be triggered at other times
2344
2345   if ( isset( $_POST['slider_noncename']) && !wp_verify_nonce( $_POST['slider_noncename'], plugin_basename( __FILE__ ) ) )
2346      return;
...
...
2558   //We check the ajax nonce (common for post and attachment)
2559   if ( isset( $_POST['SliderCheckNonce']) && !wp_verify_nonce( $_POST['SliderCheckNonce'], 'tc-slider-check-nonce' ) )
2560      return;

In all 4 cases, if the security nonce is not set it won’t be checked.


2. Hueman (50,000+ installations).
Vulnerable version: 3.6.1 and below.
Vulnerable nonces: option-tree/includes/class-ot-meta-box.php L211:

// Verify nonce.
if ( isset( $_POST[ $this->meta_box['id'] . '_nonce' ] ) && ! wp_verify_nonce( $_POST[ $this->meta_box['id'] . '_nonce' ], $this->meta_box['id'] ) ) { // phpcs:ignore
   return $post_id;
}

If the security nonce is not set, it won’t be checked.


Recommendations

Make sure to update to the latest version if you are running any of the above-mentioned themes or plugins.