CSRF in Member Approval 131109 permits unapproved registrations


Last revised:

By convincing a logged-in administrator to visit a link of an attacker’s choosing an attacker can reset the plugin’s options to the defaults, meaning that registrations will become open to everybody without requiring approval.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

By clicking the submit button here, an admin will reset the plugin to the defaults (with some slight modifications there may be a stored XSS here too, but I did not investigate further):

<form method="post" action="http://localhost/wp-admin/options-general.php?page=member-approval">
  <input type="submit">

Note: no admin action is necessary assuming the attacker can persuade an admin to visit a page under their control, as the form can be submitted using Javascript.

Advisory timeline

  • 2014-04-08: Discovered
  • 2014-04-10: Reported to
  • 2014-06-10: No response from author. Published.

Mitigation/further actions

Disable the plugin until a fix is available.