CVSS Summary
| Score | 4.3 Medium |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | None |
| Confidentiality | None |
| Integrity | Partial |
| Availability | None |
Advisory:
CSRF in WP User Groups allows anybody to modify user groups and types
Vulnerability
Last revised:
WP User Groups creates new bulk actions to put users into (or remove them from) “groups” and “types”. A nonce is sent with the request, but it is not checked.
Current state: Fixed
Proof of concept
- Activate the plugin
- Make sure you have a user with user_id=1
- Visit http://localhost/wp-admin/edit-tags.php?taxonomy=user-group and create a group called “Cat” with slug “cat”
- Visit http://localhost/wp-admin/users.php?users%5B%5D=1&action2=add-cat-user-group
- If you go back to http://localhost/wp-admin/users.php you’ll see the user with user_id=1 is now in the group “Cat”
Advisory timeline
- 2018-04-12: Discovered
- 2018-04-16: Reported to plugin author via email
- 2018-04-16: Vendor reported fixed in 2.1.1
- 2018-05-11: Advisory published
- 2018-06-07: CVE requested
- 2018-06-23: CVE assigned
Mitigation/further actions
Upgrade to version 2.1.1 or later.