Multiple WordPress plugins fixed CSRF vulnerabilities (part 1).

Back in September 2020, we discovered 33 WordPress plugins and themes vulnerable to cross-site request forgery (CSRF) attacks. Twenty-nine has been fixed so far (see here and there).
Earlier this month we decided to check again for similar issues and eventually we found more vulnerable plugins than we did last September. As it will likely take some times before they all get patched, we’ll disclose the fixed ones in batches of 10 to 15 plugins. Here’s the first one:

Vulnerable Plugins

1. Post SMTP Mailer/Email Log
Vulnerable version: 2.0.20 and below.
Vulnerable nonce: Postman/Postman-Email-Log/PostmanEmailLogController.php#L79

if ( isset( $_REQUEST['post-smtp-log-nonce'] ) && ! wp_verify_nonce( $_REQUEST['post-smtp-log-nonce'], 'post-smtp' ) )
   die( 'Security check' );

If $_REQUEST['post-smtp-log-nonce'] isn’t set, the nonce won’t be checked


 

2. Forminator
Vulnerable version: 1.14.8 and below.
Vulnerable nonce #1: library/modules/quizzes/front/front-render.php#L1337

if ( isset( $_REQUEST['nonce'] ) && ! wp_verify_nonce( $_REQUEST['nonce'], 'forminator_submit_form' ) ) {
   wp_send_json_error( new WP_Error( 'invalid_code' ) );
}

If $_REQUEST['nonce'] isn’t set, the nonce won’t be checked.

Vulnerable nonce #2: library/modules/custom-forms/front/front-action.php#L1499

if ( isset( $post_data['nonce'] ) && ! wp_verify_nonce( $post_data['nonce'], 'forminator_submit_form' ) ) {
   wp_send_json_error( new WP_Error( 'invalid_code' ) );
}

If $post_data['nonce'] isn’t set, the nonce won’t be checked.


 

3. Dokan
Vulnerable version: 3.2.0 and below.
Vulnerable nonce #1: includes/Ajax.php#L421

if ( isset( $_POST['dokan_security_nonce'] ) && ! wp_verify_nonce( sanitize_key( $_POST['dokan_security_nonce'] ), 'dokan_security_action' ) ) {
   die( -1 );
}

If $_POST['dokan_security_nonce'] isn’t set, the nonce won’t be checked.

Vulnerable nonce #2: includes/Admin/UserProfile.php#L541

if ( isset( $post_data['dokan_update_user_profile_info_nonce'] ) && ! wp_verify_nonce( $post_data['dokan_update_user_profile_info_nonce'], 'dokan_update_user_profile_info' ) ) {
   return;
}

If $post_data['dokan_update_user_profile_info_nonce'] isn’t set, the nonce won’t be checked.


 

4. Defender Security
Vulnerable version: 2.4.6 and below.
Vulnerable nonce: src/controller/two-factor.php#L208

if ( isset( $_POST['_wpnonce'] ) && ! wp_verify_nonce( $_POST['_wpnonce'], 'verify_otp' ) ) {
   return;
}

If $_POST['_wpnonce'] isn’t set, the nonce won’t be checked.


 

5. Abandoned Cart Lite for WooCommerce
Vulnerable version: 5.8.5 and below.
Vulnerable nonce #1: woocommerce-ac.php#L412

if ( isset( $_REQUEST['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ), 'woocommerce-abandoned-cart' ) ) {
   die( 'Security check' );
}

If $_REQUEST['_wpnonce'] isn’t set, the nonce won’t be checked.

Vulnerable nonce #2: woocommerce-ac.php#L449

if ( isset( $_REQUEST['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ), 'woocommerce-abandoned-cart' ) ) {
   die( 'Security check' );
}

Same as above.


 

6. Style Kits
Vulnerable version: 1.8.0 and below.
Vulnerable nonce: inc/class-quick-edit.php#L163

if ( isset( $_POST['ang_sk_update_nonce'] ) && ! wp_verify_nonce( $_POST['ang_sk_update_nonce'], plugin_basename( __FILE__ ) ) ) { // phpcs:ignore
   return;
}

If $_POST['ang_sk_update_nonce'] isn’t set, the nonce won’t be checked.


 

7. WP ERP
Vulnerable version: 1.7.4 and below.
Vulnerable nonce: modules/hrm/includes/class-form-handler.php#L1227

if ( isset( $_POST['_wpnonce'] ) && ! wp_verify_nonce( sanitize_key( $_POST['_wpnonce'] ), 'erp-settings-nonce' ) ) {
   die( 'Nonce failed.' );
}

If $_POST['_wpnonce'] isn’t set, the nonce won’t be checked.


 

8. eCommerce Product Catalog
Vulnerable version: 3.0.17 and below.
Vulnerable nonce: modules/cart/includes/orders/includes/register-digital-orders.php#L398

$order_summary_meta_noncename = isset( $_POST[ 'order_summary_meta_noncename' ] ) ? $_POST[ 'order_summary_meta_noncename' ] : '';
if ( !empty( $order_summary_meta_noncename ) && !wp_verify_nonce( $order_summary_meta_noncename, plugin_basename( __FILE__ ) ) ) {
   return $post->ID;
}

If $_POST['order_summary_meta_noncename'] is empty or not set, the nonce won’t be checked.


 

9. WP Project Manager
Vulnerable version: 2.4.9 and below.
Vulnerable nonce: core/Promotions/Offers.php#L137

if ( isset( $_POST['nonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'pm_dismiss_offer' ) ) {
   wp_send_json_error( __( 'Invalid nonce', 'wedevs-project-manager' ) );
}

If $_POST['nonce'] isn’t set, the nonce won’t be checked.


 

10. WP Private Content Plus
Vulnerable version: 3.1 and below.
Vulnerable nonce: classes/class-wppcp-groups.php#L188

$nonce = isset($_POST['wppcp_backend_group_add_new_member_nonce']) ? 
sanitize_text_field($_POST['wppcp_backend_group_add_new_member_nonce']) : '';
if ( isset($_POST['wppcp_backend_group_add_new_member_nonce']) && ! wp_verify_nonce( $nonce, 'wppcp-backend-group-add-new-member-nonce' ) ) {
   return;
}

If $_POST['wppcp_backend_group_add_new_member_nonce'] isn’t set, the nonce won’t be checked.


 

11. Better Search
Vulnerable version: 2.5.2 and below.
Vulnerable nonce #1: includes/admin/tools.php#L223

if ( isset( $_POST['bsearch_export_settings_nonce'] ) && ! wp_verify_nonce( sanitize_key( $_POST['bsearch_export_settings_nonce'] ), 'bsearch_export_settings_nonce' ) ) {
   return;
}

If $_POST['bsearch_export_settings_nonce'] isn’t set, the nonce won’t be checked.

Vulnerable nonce #2: includes/admin/tools.php#L257

if ( isset( $_POST['bsearch_import_settings_nonce'] ) && ! wp_verify_nonce( sanitize_key( $_POST['bsearch_import_settings_nonce'] ), 'bsearch_import_settings_nonce' ) ) {
   return;
}

If $_POST['bsearch_import_settings_nonce'] isn’t set, the nonce won’t be checked.


 

12. Custom Banners
Vulnerable version: 3.2.2 and below.
Vulnerable nonce: gold-framework/gold-plugins-custom-post-type.php#L191

// exit if nonce is not present or invalid
if ( empty($_POST[ 'my-custom-fields_wpnonce' ]) 
   || ! wp_verify_nonce( $_POST[ 'my-custom-fields_wpnonce' ], 'my-custom-fields' ) ) {
   return;
}

If $_POST[ 'my-custom-fields_wpnonce' ] isn’t set, the nonce won’t be checked.


 

13. ElasticPress
Vulnerable version: 3.5.3 and below.
Vulnerable nonce: includes/classes/Feature/Autosuggest/Autosuggest.php#L640

if ( ! empty( $_REQUEST['ep_epio_nonce'] ) && ! wp_verify_nonce( $_REQUEST['ep_epio_nonce'], 'ep-epio-set-autosuggest' ) ) {
   return;
}

If $_REQUEST['ep_epio_nonce'] is empty or not set, the nonce won’t be checked.


 

14. WP Travel
Vulnerable version: 4.4.6 and below.
Vulnerable nonce: inc/admin/class-admin-metaboxes.php#L431

if ( isset( $_POST['wp_travel_save_data'] ) && ! wp_verify_nonce( $_POST['wp_travel_save_data'], 'wp_travel_save_data_process' ) ) {
   return;
}

If $_POST['wp_travel_save_data'] isn’t set, the nonce won’t be checked.


 

15. Process Steps Template Designer
Vulnerable version: 1.2.1 and below.
Vulnerable nonce: icons-selector/font-awesome-field.php#L215

if ( isset( $_POST['fa_field_icon_nonce'] ) && ! wp_verify_nonce( $_POST['fa_field_icon_nonce'], 'fa_field_icon' ) ) {
   return;
}

If $_POST['fa_field_icon_nonce'] isn’t set, the nonce won’t be checked.


 

Recommendations

Make sure to update to the latest version if you are running any of the above-mentioned plugins. If you had some of the vulnerable plugins installed on your blog and were using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you have already been informed about those issues by email.

Timeline

All vulnerabilities were reported to the WordPress.org Plugin Team between February 12 and 15, 2021.

Stay informed about the latest vulnerabilities