Summary: Another day, another vulnerability. Today, to continue our 0-day series, I will bring you guys to another security issue that i found on a favorite wordpress plugin which has over 20000 actives worldwide . It’s name is Delete All Comments Easily and can be found here.
Vulnerable versions: ≤ 1.3
Analyze: CSRF in Delete All Comments Easily
At first, let’s take a look at the dashboard of the plugin:
It looks quite simple, huh? Yess, it’s indeed so simple as well as does not have so many lines of code. Less code, less time for pentest but also less flaw that we can focus on. Usually i will do some black-box tasks with the UI such as XSS, LFI, SQLi, privilege escalation…but according to the UI, we can see that there aren’t many stuffs for black-box testing here. So time for code-review now!!!
As i said before, this plugin does not have so many lines of code. So we can easily understand how things are processed right when we look at the source code… Do you see what i see? I hope you do. CSRF here (again), if you wonder why i said “again”, i bet you missed this ;). Wordpress-core did a great job when supporting this function wp_verify_nonce() an efficient solution for an-ti CSRF attack, but some plugins don’t want to use it, or don’t know how to use it and CSRFs happens.
Exploit:
- Attacker will build some kind of form like below:
- Then, if somehow, hacker can induce admin of a vulnerable website to click submit button…so BOOM! All the comments of the website will all gone!
Conclusion:
CSRF token is important, you should implement it for important tasks. WP-core already offered an easy way to implement it, check here
Reference: