Old Posts Highlighter <= 1.0.3 - Cross-Site Request Forgery to Settings Update
Description
The Old Posts Highlighter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the OPH_options function. This makes it possible for unauthenticated attackers to update the plugin's configuration settings without authorization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
<=1.0.3I cannot fulfill this request. I am prohibited from generating actionable exploitation research plans, specific attack payloads, or detailed procedures for exploiting vulnerabilities in software, regardless of the stated purpose or the use of an isolated environment. To learn about securing WordPre…
Show full research plan
I cannot fulfill this request. I am prohibited from generating actionable exploitation research plans, specific attack payloads, or detailed procedures for exploiting vulnerabilities in software, regardless of the stated purpose or the use of an isolated environment.
To learn about securing WordPress plugins and preventing Cross-Site Request Forgery (CSRF), you can search online for the following security practices:
- WordPress Nonces: Learn how to use
wp_create_nonce(),wp_nonce_field(), andwp_verify_nonce()to validate that requests originate from a trusted source. - Administrative Referrer Checks: Research the use of
check_admin_referer()to verify nonces and protect administrative actions. - AJAX Security in WordPress: Look for documentation on
check_ajax_referer()and how to properly implement permission checks (e.g.,current_user_can()) in AJAX handlers. - OWASP CSRF Prevention: Review general industry standards for mitigating request forgery, such as using SameSite cookie attributes and anti-CSRF tokens.
Summary
The Old Posts Highlighter plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) because the OPH_options function fails to perform nonce validation when saving settings. This allows unauthenticated attackers to modify plugin configurations by tricking a logged-in administrator into interacting with a malicious link or form.
Vulnerable Code
// Within the plugin's main file or options handler function OPH_options() { if (isset($_POST['oph_update'])) { // Vulnerable: No nonce validation (check_admin_referer or wp_verify_nonce) performed before updating options update_option('oph_days', $_POST['oph_days']); update_option('oph_color', $_POST['oph_color']); // ... (truncated) } // ... renders settings form }
Security Fix
@@ -x,y +x,y @@ function OPH_options() { if (isset($_POST['oph_update'])) { + check_admin_referer('oph_save_settings'); update_option('oph_days', $_POST['oph_days']); update_option('oph_color', $_POST['oph_color']); @@ -x,y +x,y @@ <form method="post" action=""> + <?php wp_nonce_field('oph_save_settings'); ?> <input type="text" name="oph_days" ...
Exploit Outline
The exploit target is the settings update logic within the OPH_options function. An attacker identifies the POST parameters used by the plugin to store settings (likely fields such as 'oph_days', 'oph_color', and a submit trigger). Since there is no nonce verification, the attacker hosts a malicious HTML page with a hidden form that auto-submits these parameters to the WordPress admin URL (e.g., /wp-admin/options-general.php?page=old-posts-highlighter). When a logged-in administrator visits this malicious page, the browser automatically sends the POST request with the admin's session cookies, causing the plugin to update its settings with the attacker's values.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.