CSRF in WP User Groups allows anybody to modify user groups and types


Last revised:

WP User Groups creates new bulk actions to put users into (or remove them from) “groups” and “types”. A nonce is sent with the request, but it is not checked.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 4.3 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality None
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  • Activate the plugin
  • Make sure you have a user with user_id=1
  • Visit http://localhost/wp-admin/edit-tags.php?taxonomy=user-group and create a group called “Cat” with slug “cat”
  • Visit http://localhost/wp-admin/users.php?users%5B%5D=1&action2=add-cat-user-group
  • If you go back to http://localhost/wp-admin/users.php you’ll see the user with user_id=1 is now in the group “Cat”

Advisory timeline

  • 2018-04-12: Discovered
  • 2018-04-16: Reported to plugin author via email
  • 2018-04-16: Vendor reported fixed in 2.1.1
  • 2018-05-11: Advisory published
  • 2018-06-07: CVE requested
  • 2018-06-23: CVE assigned

Mitigation/further actions

Upgrade to version 2.1.1 or later.