Analyze: CSRF in wp-pro-quiz
Look at this snippet of code at file wp-pro-quiz/lib/controller/WpProQuiz_Controller_Quiz.php
We can see that $_GET[‘id’] is passed directly into deleteAction() which is implemented as below:
After check the user’s permission, $id will be passed into deleteAll(). In here, application will call a SQL query to delete every quiz record having the ID.
So, it’s easy to realize that there is no CSRF-token in entire the flow, a quiz will be removed easily just by one request. We had CSRF here!
Exploit:
- Attacker sends a link having format like: http://victim.com/wp-admin/admin.php?page=wpProQuiz&action=delete&id=4 to admin
- Admin somehow clicks the link, quiz with id 4 will be removed
Conclusion:
CSRF token is important, you should implement it for important tasks
Reference: