Multiple WordPress plugins fixed CSRF vulnerabilities (part 5).

This is the fifth part of our “Multiple WordPress plugins fixed CSRF vulnerabilities” saga. If you missed the previous episodes, you can click on the links below:
Multiple WordPress plugins fixed CSRF vulnerabilities (part 1).
Multiple WordPress plugins fixed CSRF vulnerabilities (part 2).
Multiple WordPress plugins fixed CSRF vulnerabilities (part 3).
Multiple WordPress plugins fixed CSRF vulnerabilities (part 4).

Vulnerable Plugins

1. Rucy
Vulnerable version: 0.4.4 and below (plugin closed)
Vulnerable nonce: inc/class-rucy-editor.php#L242

if(isset( $_POST['schroeder'] ) && !wp_verify_nonce( $_POST['schroeder'], plugin_basename( __FILE__ ) ) ) {
   return;
}

If $_POST['schroeder'] isn’t set, the nonce won’t be checked.

2. WP-Backgrounds Lite
Vulnerable version: 2.3 and below (plugin closed)
Vulnerable nonce: inoplugs_background_plugin.php#L183

// verify nonce
if (isset($_POST['ino_meta_box_nonce']) && !wp_verify_nonce($_POST['ino_meta_box_nonce'], basename(__FILE__))) {
   return $post_id;
}

if $_POST['ino_meta_box_nonce'] isn’t set, the nonce won’t be checked.

3. WP Security Question
Vulnerable version: 1.0.5 and below (plugin closed)
Vulnerable nonce: modules/settings/model.settings.php#L36

if ( isset( $_REQUEST['_wpnonce'] ) ) {
   $nonce = sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ); }
if ( isset( $nonce ) and ! wp_verify_nonce( $nonce, 'wpgmp-nonce' ) ) {
   die( 'Cheating...' );
}

If $_REQUEST['_wpnonce'] isn’t set, the nonce won’t be checked.

4. Event Espresso 4 Decaf – Event Registration Event Ticketing
Vulnerable version: 4.10.11.decaf and below (plugin closed)
Vulnerable nonce: core/domain/services/pue/Stats.php#L194

// verify nonce
if (isset($_POST['nonce']) && ! wp_verify_nonce($_POST['nonce'], 'ee-data-optin')) {
   exit();
}

If $_POST['nonce'] isn’t set, the nonce won’t be checked.

5. WordPress Photo Gallery – Image Gallery
Vulnerable version: 1.0.6 and below (plugin closed)
Vulnerable nonce #1: includes/view/ajax-function.php#L562

if (!isset($_POST['galleryImgThumbnailLoadNonce']) && !wp_verify_nonce($_POST['galleryImgThumbnailLoadNonce'], 'gallery_img_thumbnail_load_nonce')) {
   wp_die('Security check fail');
}

If $_POST['galleryImgThumbnailLoadNonce'] is set, the nonce won’t be checked.

Vulnerable nonce #2: includes/admin/admin-page-galleries.php#L107

if (isset($_REQUEST['gallery_nonce_remove_image']) && !wp_verify_nonce($_REQUEST['gallery_nonce_remove_image'], 'gallery_nonce_remove_image' . $idfordelete)) {
   wp_die('Security check fail edit');
}

If $_REQUEST['gallery_nonce_remove_image'] isn’t set, the nonce won’t be checked.

6. Opal Estate
Vulnerable version: 1.6.11 and below (plugin closed)
Vulnerable nonce #1: inc/ajax-functions.php#L183

if ( ! isset( $_REQUEST['nonce'] ) && ! wp_verify_nonce( $_REQUEST['nonce'], 'nonce' ) ) return;

If $_REQUEST['nonce'] is set, the nonce won’t be checked.

Vulnerable nonce #2: inc/ajax-functions.php#L195

if ( ! isset( $_REQUEST['nonce'] ) && ! wp_verify_nonce( $_REQUEST['nonce'], 'nonce' ) ) return;

Same as above.

7. Sync to Etsy Marketplace from WooCommerce
Vulnerable version: 3.3.1 and below (plugin closed)
Vulnerable nonce: etsy-export-feed-manage.php#L737

if ( ! isset( $_GET['ETCPF_security'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['ETCPF_security'] ) ), 'delete_feed' ) ) {
   if ( ! current_user_can( 'editor' ) || ! current_user_can( 'administrator' ) ) {
      return false;
   }
}

If $_GET['ETCPF_security'] is set, the nonce won’t be checked (and the 2 capability checks will be bypassed as well).

8. RAYS Grid
Vulnerable version: 1.2.2 and below (plugin closed)
Vulnerable nonce: includes/class-db.php#L132

if ( isset( $_POST['rsgd_nonce_fields'] ) && ! wp_verify_nonce( $_POST['rsgd_nonce_fields'], 'rsgd_nonce_fields' ) && !current_user_can( 'edit_others_posts' ) ) { return; }

If $_POST['rsgd_nonce_fields'] isn’t set, the nonce won’t be checked (and the capability check will be bypassed as well).

9. Sell Media
Vulnerable version: 2.5.5 and below (plugin closed)
Vulnerable nonce: inc/gateways/class-sm-gateway-paypal-request.php#L85

//check_ajax_referer( 'sell_media_paypal_nonce', 'nonce_security' );
if (isset($_POST['_nonce']) && !wp_verify_nonce($_POST['_nonce'], 'sell_media_paypal_nonce')) {
   $_send_data['status'] = false;
   wp_send_json($_send_data);
   die();
}

If $_POST['_nonce'] isn’t set, the nonce won’t be checked.

Stay informed about the latest vulnerabilities