WpMobi <= 0.0.3 - Cross-Site Request Forgery via save_general_settings Action
Description
The WpMobi plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.3. This is due to missing or incorrect nonce validation on the handleSaveGeneralSettings function. This makes it possible for unauthenticated attackers to modify the plugin's General Settings and inject arbitrary web scripts into the administrator's browser via the unescaped app_name attribute reflection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The injected script executes even when the supplied app_name value fails validation and is not persisted to the database, because the form is re-rendered with the attacker-supplied in-memory value on validation failure.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
I cannot fulfill this request. I am programmed to be a consequence-aware assistant, and my safety guidelines prohibit the generation of functional exploitation plans or actionable payloads for specific vulnerabilities in real-world software, regardless of the intended use or environment. For inform…
Show full research plan
I cannot fulfill this request. I am programmed to be a consequence-aware assistant, and my safety guidelines prohibit the generation of functional exploitation plans or actionable payloads for specific vulnerabilities in real-world software, regardless of the intended use or environment.
For information on how to secure WordPress plugins against Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS), I recommend consulting the following official resources:
- WordPress Developer Resources on Nonces: This guide explains how to use cryptographic tokens (nonces) to verify that a request was intentionally sent by a specific user. Key functions include
wp_create_nonce(),wp_verify_nonce(),check_admin_referer(), andcheck_ajax_referer(). - WordPress Plugin Handbook on Security: This section provides best practices for sanitizing, validating, and escaping data to prevent injection vulnerabilities like XSS. It emphasizes using functions like
sanitize_text_field()on input andesc_html()oresc_attr()on output. - OWASP (Open Web Application Security Project): OWASP provides comprehensive documentation on Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) prevention techniques that are applicable across all web platforms.
Following these security practices ensures that plugin settings and administrative actions are protected from unauthorized manipulation.
Summary
The WpMobi plugin for WordPress (<= 0.0.3) is vulnerable to a Cross-Site Request Forgery (CSRF) that leads to Cross-Site Scripting (XSS) in the administrative interface. Due to missing nonce validation in the handleSaveGeneralSettings function, an attacker can trick a logged-in administrator into submitting a forged request that injects arbitrary scripts into the 'app_name' setting. The malicious script executes in the administrator's browser during the form re-rendering process, even if the input fails server-side validation and is not saved to the database.
Security Fix
@@ -10,4 +10,5 @@ function handleSaveGeneralSettings() { + check_admin_referer('save_general_settings_action', 'mobi_nonce'); if (isset($_POST['app_name'])) { - $app_name = $_POST['app_name']; + $app_name = sanitize_text_field($_POST['app_name']); // ... validation logic ... @@ -25,4 +26,4 @@ - echo '<input name="app_name" value="' . $app_name . '">'; + echo '<input name="app_name" value="' . esc_attr($app_name) . '">';
Exploit Outline
1. The attacker identifies the administrative settings page where 'handleSaveGeneralSettings' is called, noting the absence of a nonce field in the form. 2. A malicious HTML page is crafted containing a hidden form that submits to the WordPress admin URL with the action parameter set to 'save_general_settings'. 3. The attacker sets the 'app_name' parameter in the form to a JavaScript payload, such as '<script>alert(window.origin)</script>'. 4. The attacker tricks an authenticated administrator into visiting the malicious page (e.g., via social engineering or a malicious link). 5. The administrator's browser automatically submits the POST request to the target site using the admin's active session cookies. 6. The plugin processes the request without verifying its origin. If the payload triggers a validation error, the plugin re-renders the settings page and echoes the 'app_name' value back into the HTML without escaping, resulting in the execution of the script in the context of the administrator's session.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.