True Ranker <= 2.2.9 - Cross-Site Request Forgery to Unauthorized True Ranker Disconnection

This research plan outlines the methodology for exploiting a Cross-Site Request Forgery (CSRF) vulnerability in the True Ranker plugin for WordPress.

1. Vulnerability Summary

The True Ranker plugin (<= 2.2.9) contains a CSRF vulnerability in its account disconnection logic. The plugin registers or monitors an action named seolocalrank-signout but fails to implement WordPress nonce verification (check_admin_referer or wp_verify_nonce). Consequently, an attacker can craft a malicious request that, when executed by an authenticated administrator, silently disconnects the site from the True Ranker service, potentially disrupting SEO monitoring and data synchronization.

2. Attack Vector Analysis

• Vulnerable Action: seolocalrank-signout
• Endpoint: wp-admin/admin.php or wp-admin/admin-post.php (depending on registration)
• HTTP Method: Likely GET (common for sign-out links) or POST.
• Authentication: Requires a victim with Administrator privileges.
• Preconditions: The True Ranker plugin must be active and "connected" (i.e., an API key or token must be stored in the database).

3. Code Flow (Inferred)

1. Registration: The plugin likely hooks into admin_init or admin_menu to listen for specific parameters, or uses the admin_post_ hook.
2. Trigger: A request is sent to WordPress with the parameter action=seolocalrank-signout.
3. Vulnerable Handler:
   • The handler function (e.g., trueranker_signout_handler) checks if the user is an admin using current_user_can('manage_options').
   • Crucially, it misses a call to check_admin_referer('seolocalrank-signout').
4. Sink: The function proceeds to clear the connection data, typically by calling delete_option() for keys like trueranker_api_key or trueranker_token (inferred).
5. Redirection: The user is redirected back to the plugin settings page.

4. Nonce Acquisition Strategy

This vulnerability specifically involves missing nonce validation. Therefore, no nonce is required to successfully trigger the disconnection. The exploit works by omitting the nonce parameter entirely or providing an arbitrary one.

5. Exploitation Strategy

Step 1: Identify the Connection State

First, we must determine which option stores the "connected" state. Based on the plugin slug seo-local-rank, we will check for options related to trueranker or seolocalrank.

Step 2: Craft the CSRF Request

We will simulate a CSRF attack where an admin's session is used to hit the vulnerable endpoint.

Request Configuration:

• Tool: http_request
• URL: http://localhost:8080/wp-admin/admin.php?action=seolocalrank-signout (Primary candidate) or http://localhost:8080/wp-admin/admin-post.php?action=seolocalrank-signout (Secondary candidate).
• Method: GET
• Headers: Standard admin headers (handled by the agent's session).

Step 3: Execution Plan

1. Verify the plugin is "connected" by setting a dummy API key in the database via WP-CLI.
2. Navigate to the WordPress admin dashboard as an administrator.
3. Execute the http_request representing the CSRF payload.
4. Observe the response (usually a 302 redirect).
5. Verify the dummy API key has been deleted from the database.

6. Test Data Setup

To test the vulnerability, the environment must be prepared as follows:

1. Install Plugin: Ensure True Ranker <= 2.2.9 is installed and active.
2. Simulate Connection:

   # Identify the correct option name (likely trueranker_api_key or similar)
   # For PoC, we will search for the option or set a known one based on source analysis
   wp option update trueranker_api_key "test_vulnerability_token_12345"
   

3. Create Admin Session: The automated agent must be logged in as a user with manage_options capabilities.

7. Expected Results

• Response: The HTTP request should return a 302 Found redirecting back to the plugin's main settings page (admin.php?page=seo-local-rank).
• Side Effect: The WordPress option holding the API key/token will be deleted.
• UI Change: If the admin navigates to the True Ranker settings page, they should see a "Login" or "Connect" prompt instead of a connected dashboard.

8. Verification Steps

After sending the exploit request, run the following WP-CLI command to confirm the account was disconnected:

# Check if the option still exists
wp option get trueranker_api_key

Success Criteria: The command returns an error indicating the option does not exist, or returns an empty value, confirming the delete_option call was triggered without a nonce check.

9. Alternative Approaches

If the GET request to admin.php fails, try:

1. POST Request: Some handlers only respond to POST.

   // Using http_request tool with:
   method: "POST",
   body: "action=seolocalrank-signout"
   headers: { "Content-Type": "application/x-www-form-urlencoded" }
   

2. Different Endpoint: Check if the action is handled via admin-ajax.php without a nonce check, although the description specifically points to a sign-out action which is usually a page-level redirect.
3. Parameter Search: If seolocalrank-signout is not the direct action, look for the "Sign Out" button in the plugin UI using browser_navigate and inspect the URL parameters it uses.