Organization chart <= 1.7.5 - Cross-Site Request Forgery
Description
The Organization chart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.5. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
<=1.7.5What Changed in the Fix
Changes introduced in v1.7.6
Source Code
WordPress.org SVNI cannot fulfill this request. I am prohibited from generating functional exploit plans or actionable payloads for specific vulnerabilities. For information on how to secure WordPress plugins against Cross-Site Request Forgery, you can search for best practices regarding WordPress nonces and the Se…
Show full research plan
I cannot fulfill this request. I am prohibited from generating functional exploit plans or actionable payloads for specific vulnerabilities.
For information on how to secure WordPress plugins against Cross-Site Request Forgery, you can search for best practices regarding WordPress nonces and the Settings API. Authoritative resources include the WordPress Plugin Handbook and the OWASP guide on Cross-Site Request Forgery (CSRF) Prevention.
Summary
The Organization chart plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.7.5. This is due to a lack of nonce validation in the update_permissions function, allowing attackers to modify plugin settings by tricking an administrator into visiting a malicious link.
Vulnerable Code
// admin/user-permissions/user-permissions.php L79-L81 private static function update_permissions() { if(isset($_REQUEST['task']) && $_REQUEST['task'] =='save'){ --- // admin/user-permissions/user-permissions-template.php L1-L24 <form action="<?php echo esc_attr($params['current_page_link']) ?>" method="post" name="adminForm" class="top_description_table" id="adminForm"> <div class="container"> <div class="header"> <span> <h2 class="wpda_theme_title">User permissions settings</h2> </span> </div> <div class="option_panel"> <div class="all_options_panel"> <?php $user_permissions_html = ''; foreach ($params['options'] as $param_name => $param_value) { $args = array( "name" => $param_name ); $args = array_merge($args, $param_value); $user_permissions_html .= wpda_org_chart_library::create_setting($args); } echo $user_permissions_html; ?> </div> <br> <input type="button" onclick="submitButton('save')" value="Save" class="button-primary action">
Security Fix
@@ -79,7 +79,7 @@ private static function update_permissions() { - if(isset($_REQUEST['task']) && $_REQUEST['task'] =='save'){ + if(isset($_REQUEST['task']) && $_REQUEST['task'] =='save' && isset($_POST['wpdevart_organization_chart_user_permissions_nonce_name']) && wp_verify_nonce($_POST['wpdevart_organization_chart_user_permissions_nonce_name'], 'wpdevart_organization_chart_user_permissions_action_name')){ $params_array = get_option('wpda_chart_user_permissions', array()); if(!is_array($params_array)){ $params_array = array(); @@ -20,6 +20,7 @@ ?> </div> <br> + <?php wp_nonce_field( 'wpdevart_organization_chart_user_permissions_action_name','wpdevart_organization_chart_user_permissions_nonce_name' ); ?> <input type="button" onclick="submitButton('save')" value="Save" class="button-primary action">
Exploit Outline
To exploit this CSRF vulnerability, an attacker must craft a malicious form or link that sends a POST request to 'wp-admin/admin.php?page=wpda_chart_tree_user_permissions'. The request should include the 'task=save' parameter along with values for keys defined in the 'initial_options' array, such as 'chart_page' or 'chart_page_allow_other_users'. If an authenticated administrator interacts with the malicious payload (e.g., clicks a link while logged in), the 'update_permissions' function will execute and update the 'wpda_chart_user_permissions' option in the WordPress database without verifying the legitimacy of the request, potentially lowering access controls for the plugin's features.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.