SensitiveTagCloud <= 1.4.1 - Cross-Site Request Forgery
Description
The SensitiveTagCloud plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
<=1.4.1This research plan outlines the steps required to identify and verify the Cross-Site Request Forgery (CSRF) vulnerability in the **SensitiveTagCloud** plugin (version <= 1.4.1). ## 1. Vulnerability Summary The **SensitiveTagCloud** plugin fails to implement or incorrectly validates WordPress nonces…
Show full research plan
This research plan outlines the steps required to identify and verify the Cross-Site Request Forgery (CSRF) vulnerability in the SensitiveTagCloud plugin (version <= 1.4.1).
1. Vulnerability Summary
The SensitiveTagCloud plugin fails to implement or incorrectly validates WordPress nonces (CSRF tokens) during administrative actions, most likely when saving plugin settings or updating "sensitive" tag lists. This allows an attacker to perform unauthorized state-changing operations by inducing a logged-in administrator to interact with a malicious webpage or link.
2. Attack Vector Analysis
- Target Endpoint: Likely
wp-admin/options-general.php?page=sensitive-tag-cloudorwp-admin/admin-post.php. - Vulnerable Action: Saving configuration options (e.g., font sizes, tag exclusions, or "sensitive" tag identifiers).
- Authentication Level: Requires the victim to be a logged-in Administrator.
- Preconditions: The plugin must be active. The attacker must know the parameter names used in the settings form.
3. Code Flow (Inferred)
Since source files are not provided, the research agent must trace the following path:
- Entry Point: Look for
add_options_page()oradd_menu_page()in the main plugin file to identify the settings page slug. - Hook Registration: Identify how the plugin handles form submissions. Check for
add_action( 'admin_init', ... )oradd_action( 'admin_post_...', ... ). - Form Handler: Locate the function responsible for processing
$_POSTdata. - The Sink: Search for
update_option()or$wpdb->query()within that handler. - The Vulnerability: Observe the absence of
check_admin_referer()orwp_verify_nonce()before the state-changing logic occurs.
4. Nonce Acquisition Strategy
The vulnerability is described as missing or incorrect nonce validation.
- If missing: No nonce is required for the exploit.
- If incorrect: The plugin might be using a generic nonce or a hardcoded string that does not change per user session.
To verify the existence of a nonce requirement:
- Create a test page with the plugin's primary shortcode (if applicable) to see if scripts are enqueued:
wp post create --post_type=page --post_status=publish --post_content='[sensitive-tag-cloud]' - Navigate to the plugin settings page:
/wp-admin/options-general.php?page=sensitive-tag-cloud. - Use
browser_evalto check for localized nonce variables:browser_eval("window.stc_vars?.nonce || window.sensitive_tag_cloud_data?.security")(inferred names). - Examine the HTML source for hidden inputs:
browser_eval("document.querySelector('input[name=\"_wpnonce\"]')?.value").
5. Exploitation Strategy
The goal is to change a plugin setting (e.g., hiding all tags) without a valid nonce.
Step 1: Discover Parameters
Navigate to the settings page and extract form fields:browser_eval("Array.from(document.querySelectorAll('form input, form select')).map(i => i.name)")
Step 2: Execute CSRF via HTTP Request
Using the http_request tool, simulate the admin's form submission but omit the nonce or provide an invalid one.
- URL:
http://localhost:8080/wp-admin/options.php(if using Settings API) ORhttp://localhost:8080/wp-admin/admin-post.php. - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body (Example Payload):
action=stc_save_settings&stc_font_size=99px&stc_sensitive_tags=important,private&submit=Save+Changes(inferred parameters)
6. Test Data Setup
- Install Plugin: Ensure
sensitive-tag-cloudversion 1.4.1 is installed and active. - Admin User: Ensure an administrator account exists (default
admin/password). - Initial State: Record current plugin settings using WP-CLI:
wp option get stc_settings(inferred option name).
7. Expected Results
- Success: The HTTP response should be a redirect (
302) back to the settings page, and the plugin configuration should be updated in the database despite the lack of a valid_wpnonce. - Failure: The response is a
403 Forbiddenor a WordPress "Are you sure you want to do this?" (failure to validate) page.
8. Verification Steps
After sending the http_request, verify the change via WP-CLI:
# Check if the specific option was modified
wp option get stc_settings
# If the output matches the 'attacker_value' sent in the POST body, CSRF is confirmed.
9. Alternative Approaches
- GET-based CSRF: Check if the handler accepts
$_REQUESTinstead of strictly$_POST. If so, test if the setting can be changed via a simpleimgtag or link:/wp-admin/admin-post.php?action=stc_delete_tags&id=1 - Bypass via Default Action: If
wp_verify_nonce($nonce, -1)is used, try obtaining a nonce for the default action from any other part of the WordPress dashboard and reuse it here.
Summary
The SensitiveTagCloud plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 1.4.1. This is due to missing or incorrect nonce validation in the plugin's administrative functions, allowing attackers to modify plugin settings by tricking an administrator into performing an action like clicking a link.
Exploit Outline
The exploit targets the plugin's administrative settings page, typically accessible at 'wp-admin/options-general.php?page=sensitive-tag-cloud'. Since the plugin fails to validate WordPress nonces (CSRF tokens) during form submissions, an attacker can craft a malicious HTML page that sends a POST request to 'wp-admin/options.php' or 'wp-admin/admin-post.php' containing modified settings parameters (e.g., font sizes or tag lists). If an authenticated administrator visits the attacker-controlled page, the browser will automatically send the request with the victim's session cookies, successfully updating the plugin's configuration without authorization.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.