This is the fourth part of our “Multiple WordPress plugins fixed CSRF vulnerabilities” saga. If you missed the previous episodes, you can click on the links below:
Multiple WordPress plugins fixed CSRF vulnerabilities (part 1).
Multiple WordPress plugins fixed CSRF vulnerabilities (part 2).
Multiple WordPress plugins fixed CSRF vulnerabilities (part 3).
Vulnerable Plugins
1. Slider Hero
Vulnerable version: 8.2.0 and below
Vulnerable nonce: qcld-slider-main.php#275
if ( isset( $_REQUEST['slider_hero_duplicate_nonce'] ) ) {
if ( ! wp_verify_nonce( $_REQUEST['slider_hero_duplicate_nonce'], 'slider_hero_duplicateslider_' . $id ) ) {
die( __( 'Security check failed', 'reslide' ) );
}
}
If $_REQUEST['slider_hero_duplicate_nonce'] isn’t set, the nonce won’t be checked.
2. Amministrazione Trasparente
Vulnerable version: 7.1 and below
Vulnerable nonce: redirector.php#L27
// verify this came from the our screen and with proper authorization,
// because save_post can be triggered at other times
if ( isset($_POST['aturlmeta_noncename']) && !wp_verify_nonce( $_POST['aturlmeta_noncename'], plugin_basename(__FILE__) )) {
return $post->ID;
}
if $_POST['aturlmeta_noncename'] isn’t set, the nonce won’t be checked.
3. Vuukle
Vulnerable version: 3.4.31 and below
Vulnerable nonce: admin/partials/free-comments-for-wordpress-vuukle-admin-display.php#L57
if (isset($_POST['nonce']) && !wp_verify_nonce(sanitize_key($_POST['nonce']), $this->settings_name)) { // Input var okay
wp_die(esc_html('Security check failed! Settings not saved.'));
}
If $_POST['nonce'] isn’t set, the nonce won’t be checked.
4. WP EasyPay
Vulnerable version: 3.2.0 and below
Vulnerable nonce: wpep_setup.php#L221
if ( ! isset($_POST['nonce']) && ! wp_verify_nonce( sanitize_key($_POST['nonce']), 'nonce' ) ) {
die('access denied! Nonce not verify.');
}
If $_POST['nonce'] is set, the nonce won’t be checked.
5. Abandoned Cart Recovery for WooCommerce
Vulnerable version: 1.0.4 and below
Vulnerable nonce #1: includes/reports/abandoned-report-table.php#L166
if ( isset( $_GET['_wpnonce'] ) && ! wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), 'wacv-filter' ) ) {
return;
}
If $_GET['_wpnonce'] isn’t set, the nonce won’t be checked.
Vulnerable nonce #2:abandoned-report-table.php#L341
if ( isset( $_GET['_wpnonce'] ) && ! wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), 'wacv-filter' ) ) {
return;
}
Same as above.
6. Locations
Vulnerable version: 3.2.1 and below
Vulnerable nonce: gold-framework/gold-plugins-custom-post-type.php#L291
if ( isset($_POST[ 'my-custom-fields_wpnonce' ]) && !wp_verify_nonce( $_POST[ 'my-custom-fields_wpnonce' ], 'my-custom-fields' ) ){
return;
}
If $_POST[ 'my-custom-fields_wpnonce' ] isn’t set, the nonce won’t be checked.
Recommendations
Make sure to update to the latest version if you are running any of the above-mentioned plugins. If you had some of the vulnerable plugins installed on your blog and were using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you have already been informed about those issues by email.
Stay informed about the latest vulnerabilities
- Running WordPress? You can get email notifications about vulnerabilities in the plugins or themes installed on your blog.
- On Twitter: @nintechnet