SB2019072405 - Multiple vulnerabilities in WPS Cleaner plugin for WordPress
Published: July 24, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 secuirty vulnerabilities.
1) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "create_zip_archive_medias()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
2) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "delete_zip_archive_medias()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
3) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to the filename is not sanitized in the "delete_zip_archive_medias()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
Demo: A form sent by POST with the following values:
- action=delete_zip_archive_medias
- zip=https://example.com/wp-config.php
4) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "create_zip_archive_files()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
5) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to the filename is not sanitized in the "delete_zip_archive_files()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
Demo: A form sent by POST with the following values:
- action=delete_zip_archive_files
- zip=https://example.com/wp-config.php
6) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "/classes/plugin.php" file on "1223" line. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
Example:
https://example.com/wp-admin/admin-ajax.php?action=wpscleaner_rated
7) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "/classes/plugin.php" file on "1346" line. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
Example:
https://example.com/wp-admin/admin-ajax.php?action=delete_alert
8) Information disclosure (CVE-ID: N/A)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the missing control of the sent IDs in the "/classes/plugin.php" file on line 1070 "$files = esc_attr( $_POST['files'] );". A remote attacker can change IDs to select any other media and gain unauthorized access to sensitive information on the system.
Remediation
Install update from vendor's website.