Multiple WordPress plugins fixed CSRF vulnerabilities (part 2).

This is the second part of our “Multiple WordPress plugins fixed CSRF vulnerabilities” saga. If you missed the first part, you can access it here.

Vulnerable Plugins

1. Qtranslate Slug
Vulnerable version: 1.1.18 and below (unfixed).
Vulnerable nonce: includes/class-qtranslate-slug.php#L2106

if ((defined('DOING_AUTOSAVE') && DOING_AUTOSAVE)    // check autosave
   || (!isset($_POST['post_ID']) || $post_id != $_POST['post_ID']) // check revision
   || (isset($_POST['qts_nonce']) && !wp_verify_nonce( $_POST['qts_nonce'], 'qts_nonce'))  // verify nonce
   || (!current_user_can($post_type_object->cap->edit_post, $post_id))) {  // check permission
   return $post_id;
}

If $_POST['qts_nonce'] isn’t set, the nonce won’t be checked.

---

 

2. WC Marketplace
Vulnerable version: 3.7.3 and below.
Vulnerable nonce: classes/class-wcmp-vendor-dashboard.php#L468

if (!empty($_POST['wcmp_submit_product_comment'])) {
   // verify nonce
   if (isset($_POST['vendor_add_product_nonce']) && !wp_verify_nonce($_POST['vendor_add_product_nonce'], 'dc-vendor-add-product-comment'))
      return false;

If $_POST['vendor_add_product_nonce'] isn’t set, the nonce won’t be checked.

---

 

3. Custom css-js-php
Vulnerable version: 2.0.7 and below (unfixed).
Vulnerable nonce: modules/code/model.code.php#L91

if ( isset( $_REQUEST['_wpnonce'] ) ) {
   $nonce = sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ); }

if ( isset( $nonce ) and ! wp_verify_nonce( $nonce, 'wpgmp-nonce' ) ) {

   die( 'Cheating...' );
}

If $_REQUEST['_wpnonce'] isn’t set, the nonce won’t be checked.

---

 

4. Multiple Roles
Vulnerable version: 1.3.1 and below (unfixed).
Vulnerable nonce: controllers/checklist.php#L98

if ( isset( $_POST['md_multiple_roles_nonce'] ) && ! wp_verify_nonce( $_POST['md_multiple_roles_nonce'], 'update-md-multiple-roles' ) ) {
   return;
}

If $_POST['md_multiple_roles_nonce'] isn’t set, the nonce won’t be checked.

---

 

5. Edwiser Bridge
Vulnerable version: 2.0.6 and below.
Vulnerable nonce #1: admin/class-eb-welcome.php#L312

if ( isset( $_POST['subscribe_nonce_field'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['subscribe_nonce_field'] ) ), 'subscribe_nonce' ) ) {
   die( esc_html__( 'Action failed. Please refresh the page and retry.', 'eb-textdomain' ) );
}

If $_POST['subscribe_nonce_field'] isn’t set, the nonce won’t be checked.

Vulnerable nonce #2: admin/class-eb-welcome.php#L341

if ( isset( $_POST['subscribe_nonce_field'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['subscribe_nonce_field'] ) ), 'subscribe_nonce' ) ) {
   esc_html_e( 'Sorry, there is a problem!', 'eb-textdomain' );
   exit;

Same as above.

Vulnerable nonce #3: public/templates/account/form-login.php#L15

if ( isset( $_POST['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'eb-login' ) ) {
   return;
}

If $_POST['_wpnonce'] isn’t set, the nonce won’t be checked.

Vulnerable nonce #4: includes/payments/eb-ipn.php#L16

if ( isset( $custom_data->eb_nonce ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $custom_data->eb_nonce ) ), 'eb_paypal_nonce' ) ) {
   return;
}

If $custom_data->eb_nonce isn’t set, the nonce won’t be checked.

Vulnerable nonce #5: includes/class-eb-user-manager.php#L995

if ( isset( $_GET['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'bulk-users' ) ) {
   return;
}

If $_GET['_wpnonce'] isn’t set, the nonce won’t be checked.

Vulnerable nonce #6: includes/class-eb-custom-list-table.php#L339

 if ( isset( $_REQUEST['eb-manage-user-enrol'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['eb-manage-user-enrol'] ) ), 'eb-manage-user-enrol' ) ) {
   return;
}

If $_REQUEST['eb-manage-user-enrol'] isn’t set, the nonce won’t be checked.

---

 

6. WP Prayer
Vulnerable version: 1.6.5 and below.
Vulnerable nonce #1: modules/settings/model.settings.php#L33

if ( isset( $_REQUEST['_wpnonce'] ) ) {
   $nonce = sanitize_text_field( $_REQUEST['_wpnonce']  ); }
   if ( isset( $nonce ) and ! wp_verify_nonce( $nonce, 'wpgmp-nonce' ) ) {
      die( 'Cheating...' );
   }

If $_REQUEST['_wpnonce'] isn’t set, the nonce won’t be checked.

Vulnerable nonce #2: modules/shortcode/model.shortcode.php#L44

if (isset($_REQUEST['_wpnonce'])) {
   $nonce = sanitize_text_field($_REQUEST['_wpnonce']);
}
if (isset($nonce) and ! wp_verify_nonce($nonce, 'wpgmp-nonce')) {
    die('Cheating...');
}

Same as above.

Vulnerable nonce #3: modules/email_settings/model.email_settings.php#L20

if ( isset( $_REQUEST['_wpnonce'] ) ) {
   $nonce = sanitize_text_field( $_REQUEST['_wpnonce']  ); 
}

if ( isset( $nonce ) and ! wp_verify_nonce( $nonce, 'wpgmp-nonce' ) ) {
   die( 'Cheating...' );
}

Same as above.

Vulnerable nonce #4: modules/prayer/model.prayer.php#L87

if (isset($_REQUEST['_wpnonce'])) {
   $nonce = sanitize_text_field($_REQUEST['_wpnonce']);
}
if (isset($nonce) and ! wp_verify_nonce($nonce, 'wpgmp-nonce')) {
   die('Cheating...');
}

Same as above.

---

 

Recommendations

Make sure to update to the latest version if you are running any of the above-mentioned plugins. If you had some of the vulnerable plugins installed on your blog and were using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you have already been informed about those issues by email.

Stay informed about the latest vulnerabilities

• Running WordPress? You can get email notifications about vulnerabilities in the plugins or themes installed on your blog.
• On Twitter: @nintechnet