CSRF in Metronet Tag Manager allows anybody to do almost anything an admin can

Vulnerability

Last revised: May 15, 2018

The plugin’s settings page sends a nonce, and checks it when displaying the success/failure message, but is not checked when setting options.

This option is meant to contain JavaScript for Google Tag Manager, so it’s displayed on every frontend page without escaping.

As this vulnerability allows adding arbitrary JavaScript, the attacker can use it to control an admin user’s browser to do almost anything an admin user can do.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	5.8 Medium
Vector	Network
Complexity	Medium
Authentication	None
Confidentiality	Partial
Integrity	Partial
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Press submit on a page containing the following HTML snippet:

<form method="POST" action="http://localhost/wp-admin/options-general.php?page=metronet-tag-manager">
 <input type="text" name="submit" value="1">
 <input type="text" name="gtm-code-head" value="&lt;script>alert(1)&lt;/script>">
 <input type="submit">
</form>

In a real attack, the form can be made to autosubmit so the victim only has to follow a link.

Advisory timeline

2018-04-13: Discovered
2018-04-16: Reported to plugin author via Facebook private message
2018-04-17: Plugin author confirmed receipt of message
2018-04-24: Plugin changelog indicates bug has been fixed in 1.2.9
2018-05-15: Advisory published
2018-05-22: CVE requested
2018-06-23: CVE assigned

Mitigation/further actions

Upgrade to version 1.2.9 or later.

dxw advisories

Advisory: