Admin Menu Editor <= 1.14.1 - Cross-Site Request Forgery

This research plan outlines the steps to verify the Cross-Site Request Forgery (CSRF) vulnerability in the Admin Menu Editor plugin (<= 1.14.1).

1. Vulnerability Summary

The Admin Menu Editor plugin is vulnerable to CSRF because it fails to perform adequate nonce validation when saving the admin menu configuration. An attacker can trick a logged-in administrator into submitting a malicious POST request that overwrites the entire WordPress admin menu structure. This can be used to hide security settings, rename menu items to mislead administrators, or lock users out of specific admin areas.

2. Attack Vector Analysis

• Endpoint: wp-admin/options-general.php?page=menu_editor (Legacy) or wp-admin/admin-ajax.php (Modern).
• Action: The plugin typically uses a POST request to the settings page itself or an AJAX action named ws_ame_save_menu (inferred from plugin history).
• Vulnerable Parameters: data (A JSON-encoded string representing the new menu structure), data_hash, and selected_actor.
• Authentication Level: Unauthenticated (Attacker-side), but requires an authenticated Administrator to trigger the request via CSRF.
• Preconditions: The target administrator must have the manage_options capability and be tricked into visiting a malicious page while logged into the WordPress dashboard.

3. Code Flow (Inferred)

1. Entry Point: The plugin registers its menu page via add_options_page in a class (likely ameMenuEditor).
2. Request Handling: The function responsible for rendering the editor also checks for POST requests (e.g., if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['data']))).
3. Vulnerability: The code likely checks for capabilities (current_user_can('manage_options')) but misses check_admin_referer() or check_ajax_referer().
4. Data Processing: The data parameter is decoded and used to update the ws_menu_editor option in the database.

4. Nonce Acquisition Strategy

According to the vulnerability description, nonce validation is "missing or incorrect." If a nonce is required but uses a weak/default action, we can extract it.

1. Identify Script Localization: The plugin enqueues its editor script and localizes data.
2. Execution Agent Steps:
   • Navigate to the editor page: browser_navigate("/wp-admin/options-general.php?page=menu_editor")
   • Search for localized variables in the page source. Common candidates: wsMenuEditorData or ameEditorData.
   • Use browser_eval to extract the nonce:

     // Try common locations for AME nonces
     window.wsMenuEditorData?.nonce || window.ameEditorData?.nonce || "missing"
     

   • If browser_eval returns "missing" and the save request works without a _wpnonce or security parameter, the nonce check is entirely absent.

5. Exploitation Strategy

We will simulate a CSRF attack by crafting a POST request that hides the "Plugins" menu.

Step-by-Step Plan:

1. Identify current menu structure: First, we need a valid JSON payload. We will navigate to the menu editor as an admin and extract the current configuration.
2. Craft Malicious Payload: Modify the JSON to set the hidden property to true for the plugins-php item.
3. Trigger CSRF: Use http_request to send a POST request as the administrator (simulating the forged request).

HTTP Request Payload:

• URL: http://localhost:8080/wp-admin/options-general.php?page=menu_editor
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body Parameters:
  • action: save_menu (or simply the POST target)
  • data: [{"menu_title":"Dashboard",...},{"menu_title":"Plugins","file":"plugins.php","is_hidden":true,...}] (URL-encoded JSON)
  • data_hash: (If required, can be bypassed or pre-calculated)
  • _wpnonce: (Only if identified in step 4, otherwise omit)

6. Test Data Setup

1. Install Plugin: Ensure Admin Menu Editor v1.14.1 is installed and active.
2. Verify Access: Ensure the admin can see the "Plugins" menu normally.
3. Shortcode/Page: No specific shortcodes are needed as the vulnerability resides in the admin-facing editor page.

7. Expected Results

• The server should respond with a 302 redirect back to the menu editor page or a 200 OK (if AJAX).
• The ws_menu_editor option in the database will be updated.
• The "Plugins" menu item will disappear from the WordPress admin sidebar for all users (or the targeted actor).

8. Verification Steps

1. Database Check:

   wp option get ws_menu_editor
   

   Check if the JSON contains "is_hidden":true for the plugins entry.
2. UI Check:
   Navigate to the dashboard and verify the "Plugins" link is missing from the sidebar.

   wp plugin list --status=active
   

   (The plugin will still be active, but invisible in the UI).

9. Alternative Approaches

If the POST to options-general.php fails:

1. AJAX Route: Check for an AJAX handler ws_ame_save_menu. Send the payload to /wp-admin/admin-ajax.php with action=ws_ame_save_menu.
2. Incorrect Nonce: If a nonce is present but "incorrect," try using a nonce generated for a different action (e.g., -1) to see if it's accepted.
3. Actor Targeting: Target a specific role (e.g., editor) by setting the selected_actor parameter to role:editor in the POST request to restrict their access while leaving the admin's view intact (stealthier attack).