This is the third part of our “Multiple WordPress plugins fixed CSRF vulnerabilities” saga. If you missed the previous episodes, you can consult them here:
Multiple WordPress plugins fixed CSRF vulnerabilities (part 1).
Multiple WordPress plugins fixed CSRF vulnerabilities (part 2).
Vulnerable Plugins
1. Absolute Reviews
Vulnerable version: 1.0.8 and below
Vulnerable nonce: admin/class-absolute-reviews-admin.php#L645
if ( isset( $_POST['abr_review_meta'] ) && ! wp_verify_nonce( wp_unslash( $_POST['abr_review_meta'] ), 'abr_review_meta_nonce' ) ) { // Input var ok; sanitization ok.
return;
}
If $_POST['abr_review_meta'] isn’t set, the nonce won’t be checked.
2. Advanced Popups
Vulnerable version: 1.1.1 and below
Vulnerable nonce: admin/class-advanced-popups-admin.php#L607
if ( isset( $_POST['adp_popup_meta'] ) && ! wp_verify_nonce( wp_unslash( $_POST['adp_popup_meta'] ), 'popup_meta_nonce' ) ) { // Input var ok; sanitization ok.
return;
}
if $_POST['adp_popup_meta'] isn’t set, the nonce won’t be checked.
3. Remove Schema
Vulnerable version: 1.4 and below
Vulnerable nonce: admin/class-remove-schema-post-editor.php#L92
// security check if ( isset($_POST['remove_schema_nonce']) && !wp_verify_nonce( $_POST['remove_schema_nonce'], plugin_basename( __FILE__ ) ) ) return;
If $_POST['remove_schema_nonce'] isn’t set, the nonce won’t be checked.
4. Sunshine Photo Cart
Vulnerable version: 2.8.28 and below
Vulnerable nonce: admin/sunshine-products.php#L67
if ( ( isset( $_POST['_inline_edit'] ) && !wp_verify_nonce( $_POST['_inline_edit'], 'inlineeditnonce' ) ) ||
( isset( $_POST['sunshine_noncename'] ) && !wp_verify_nonce( $_POST['sunshine_noncename'], plugin_basename( __FILE__ ) ) ) ) {
return;
}
If neither $_POST['_inline_edit'] nor $_POST['sunshine_noncename'] are set, the two nonces won’t be checked.
5. Ultimate Gift Cards For WooCommerce
Vulnerable version: 2.1.1 and below
Vulnerable nonce: admin/class-woocommerce-gift-cards-lite-admin.php#L471
if ( isset( $_POST['mwb_wgm_product_nonce_field'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['mwb_wgm_product_nonce_field'] ) ), 'mwb_wgm_lite_nonce' ) ) {
return;
}
If $_POST['mwb_wgm_product_nonce_field'] isn’t set, the nonce won’t be checked.
6. wp-mpdf
Vulnerable version: 3.5.1 and below
Vulnerable nonce: wp-mpdf.php#L557
if ( isset( $_POST['wp_mpdf_noncename'] ) && ! wp_verify_nonce( $_POST['wp_mpdf_noncename'], plugin_basename( __FILE__ ) ) ) {
return $post_id;
}
If $_POST['wp_mpdf_noncename'] isn’t set, the nonce won’t be checked.
7. Staff Directory Plugin
Vulnerable version: 3.6 and below
Vulnerable nonce: gold-framework/gold-plugins-custom-post-type.php#L312
if ( isset($_POST[ 'my-custom-fields_wpnonce' ]) && !wp_verify_nonce( $_POST[ 'my-custom-fields_wpnonce' ], 'my-custom-fields' ) ){
return;
}
If $_POST[ 'my-custom-fields_wpnonce' ] isn’t set, the nonce won’t be checked.
8. DW Question & Answer
Vulnerable version: 1.5.7 and below (unfixed)
Vulnerable nonce: inc/Handle.php#L144
if ( !isset( $_POST['_wpnonce'] ) && !wp_verify_nonce( esc_html( $_POST['_wpnonce'] ), '_dwqa_edit_answer' ) ) {
dwqa_add_notice( __( 'Hello, Are you cheating huh?', 'dw-question-answer' ), 'error' );
}
If $_POST['_wpnonce'] is set, it won’t be checked.
9. Contact Form 7 Style
Vulnerable version: 3.2 and below (unfixed)
Vulnerable nonce: cf7-style-meta-box.php#L553
// verify quick edit nonce if ( isset( $_POST[ '_inline_edit' ] ) && ! wp_verify_nonce( sanitize_text_field( $_POST[ '_inline_edit' ] ), 'inlineeditnonce' ) ) return $post_id;
If $_POST[ '_inline_edit' ] is not set, it won’t be checked.
Recommendations
Make sure to update to the latest version if you are running any of the above-mentioned plugins. If you had some of the vulnerable plugins installed on your blog and were using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you have already been informed about those issues by email.
Stay informed about the latest vulnerabilities
- Running WordPress? You can get email notifications about vulnerabilities in the plugins or themes installed on your blog.
- On Twitter: @nintechnet