Last revision: November 16, 2020
This is an addendum to our previous post 25 WordPress plugins vulnerable to CSRF attacks. As we have reported additional WordPress plugins and themes that were vulnerable to CSRF attacks, we’ll update this post when they will be fixed by their respective authors.
Vulnerable Plugins
1. Ocean Extra (600,000+ installations).
Vulnerable version: 1.6.5 and below.
Vulnerable nonces: includes/panel/updater.php L247, L564, L637 and L934:
247 if (!current_user_can('manage_options') ||(isset($_REQUEST['_wpnonce'])&& !wp_verify_nonce($_REQUEST['_wpnonce'], 'oceanwp_options-options')))
248 return;
...
...
564 if (!current_user_can('manage_options') || (isset($_REQUEST['_wpnonce'])&&!wp_verify_nonce($_REQUEST['_wpnonce'], 'oceanwp_options-options')))
565 return;
..
..
637 if (!current_user_can('manage_options') || (isset($_REQUEST['_wpnonce'])&&!wp_verify_nonce($_REQUEST['_wpnonce'], 'oceanwp_options-options')))
638 return;
...
...
934 if (!current_user_can('manage_options') || (isset($_REQUEST['_wpnonce'])&&!wp_verify_nonce($_REQUEST['_wpnonce'], 'changelog_link_nonce')))
935 return;
If $_REQUEST['_wpnonce'] is not set, it won’t be checked.
2. EWWW Image Optimizer (800,000+ installations).
Vulnerable version: 5.8.1 and below.
Vulnerable nonces: classes/class-ewww-nextgen.php L858:
if ( empty( $_REQUEST['ewww_wpnonce'] ) && ! wp_verify_nonce( sanitize_key( $_REQUEST['ewww_wpnonce'] ), 'ewww-image-optimizer-bulk' ) || ! current_user_can( $permissions ) ) {
$output['error'] = esc_html__( 'Access denied.', 'ewww-image-optimizer' );
ewwwio_ob_clean();
wp_die( wp_json_encode( $output ) );
}
If $_REQUEST['ewww_wpnonce'] is not empty, it won’t be checked.
Vulnerable Themes
1. Customizr (70,000+ installations).
Vulnerable version: 4.3.0 and below.
Vulnerable nonces: core/czr-admin-ccat.php L1764, L1792, L2345 and L2559:
1763 // verify this came from our screen and with proper authorization, 1764 if ( isset( $_POST['post_layout_noncename']) && !wp_verify_nonce( $_POST['post_layout_noncename'], plugin_basename( __FILE__ ) ) ) 1765 return; ... ... 1791 // verify this came from our screen and with proper authorization, 1792 if ( isset( $_POST['post_slider_noncename']) && !wp_verify_nonce( $_POST['post_slider_noncename'], plugin_basename( __FILE__ ) ) ) 1793 return; ... ... 2342 // verify this came from our screen and with proper authorization, 2343 // because save_post can be triggered at other times 2344 2345 if ( isset( $_POST['slider_noncename']) && !wp_verify_nonce( $_POST['slider_noncename'], plugin_basename( __FILE__ ) ) ) 2346 return; ... ... 2558 //We check the ajax nonce (common for post and attachment) 2559 if ( isset( $_POST['SliderCheckNonce']) && !wp_verify_nonce( $_POST['SliderCheckNonce'], 'tc-slider-check-nonce' ) ) 2560 return;
In all 4 cases, if the security nonce is not set it won’t be checked.
2. Hueman (50,000+ installations).
Vulnerable version: 3.6.1 and below.
Vulnerable nonces: option-tree/includes/class-ot-meta-box.php L211:
// Verify nonce.
if ( isset( $_POST[ $this->meta_box['id'] . '_nonce' ] ) && ! wp_verify_nonce( $_POST[ $this->meta_box['id'] . '_nonce' ], $this->meta_box['id'] ) ) { // phpcs:ignore
return $post_id;
}
If the security nonce is not set, it won’t be checked.
Recommendations
Make sure to update to the latest version if you are running any of the above-mentioned themes or plugins.
Stay informed about the latest vulnerabilities
- Running WordPress? You can get email notifications about vulnerabilities in the plugins or themes installed on your blog.
- On Twitter: @nintechnet