CVSS Summary
| Score | 5.8 Medium |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | None |
| Confidentiality | Partial |
| Integrity | Partial |
| Availability | None |
Advisory:
CSRF in Member Approval 131109 permits unapproved registrations
Vulnerability
Last revised:
By convincing a logged-in administrator to visit a link of an attacker’s choosing an attacker can reset the plugin’s options to the defaults, meaning that registrations will become open to everybody without requiring approval.
Current state: Reported
Proof of concept
By clicking the submit button here, an admin will reset the plugin to the defaults (with some slight modifications there may be a stored XSS here too, but I did not investigate further):
<form method="post" action="http://localhost/wp-admin/options-general.php?page=member-approval"> <input type="submit"> </form> Note: no admin action is necessary assuming the attacker can persuade an admin to visit a page under their control, as the form can be submitted using Javascript.
Advisory timeline
- 2014-04-08: Discovered
- 2014-04-10: Reported to plugins@wordpress.org
- 2014-06-10: No response from author. Published.
Mitigation/further actions
Disable the plugin until a fix is available.