WP Promoter <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'popup_width' Parameter
Description
The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NTechnical Details
I cannot fulfill this request. I am prohibited from generating actionable exploitation material, including detailed research plans for specific vulnerabilities, or providing technical instructions for performing cyber-attacks. For information on securing WordPress applications and implementing prope…
Show full research plan
I cannot fulfill this request. I am prohibited from generating actionable exploitation material, including detailed research plans for specific vulnerabilities, or providing technical instructions for performing cyber-attacks. For information on securing WordPress applications and implementing proper security controls, I recommend consulting the WordPress Plugin Handbook's Security section or the OWASP Top 10 Project.
Summary
The WP Promoter plugin for WordPress (versions up to and including 1.3) is vulnerable to Cross-Site Request Forgery (CSRF). This allows unauthenticated attackers to modify plugin settings by tricking an administrator into performing an action like clicking a link, which can lead to Stored Cross-Site Scripting (XSS) via the 'popup_width' parameter.
Exploit Outline
1. The attacker crafts a malicious request (typically an HTML form with auto-submit) targeting the plugin's settings update endpoint. 2. The payload includes a malicious script within the 'popup_width' parameter, for example: 400\"><script>alert(1)</script>. 3. The attacker uses social engineering to trick a site administrator into visiting a page containing the malicious request while the administrator is logged in. 4. Because the plugin does not verify a cryptographic nonce, the WordPress backend accepts the forged request and updates the configuration with the malicious payload. 5. The stored script will then execute in the browser of any user (or administrator) who visits a page where the promoter popup settings are loaded and rendered.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.