CSRF vulnerability in WP HTML Sitemap 1.2


Last revised:

A CSRF vulnerability exists which allows an attacker to delete the sitemap if a logged-in admin user visits a link of the attacker’s choosing.

Line 202 of inc/AdminPage.php says “// check whether form was just submitted” but the following if/elseif statements only check whether a particular button was pressed without checking nonce values. The form in question is printed in wp_html_sitemap_AdminPage::createSitemapForm() around line 146 of the same file.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 4.3 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality None
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

This form deletes the sitemap without requiring a nonce value:

<form action="http://not-a-real-site.local/wp-admin/options-general.php?page=wp-html-sitemap&tab=general" method="POST">
  <input type="text" name="deleteSitemap" value="Delete Sitemap">
  <input type="submit">

Advisory timeline

  • 2014-02-21: Discovered
  • 2014-02-26: Reported
  • 2014-03-28: No response received. Published

Mitigation/further actions

Disable the plugin until a fix is available.