CSRF in Tooltipy (tooltips for WP) could allow anybody to duplicate posts (WordPress plugin)


fulldisclosure logo
Full Disclosure
mailing list archives

CSRF in Tooltipy (tooltips for WP) could allow anybody to duplicate posts (WordPress plugin)


From: dxw Security
Date: Tue, 12 Jun 2018 18:39:13 +0000


Details
================
Software: Tooltipy (tooltips for WP)
Version: 5.0
Homepage: https://wordpress.org/plugins/bluet-keywords-tooltip-generator/
Advisory report: https://advisories.dxw.com/advisories/csrf-in-tooltipy/
CVE: Awaiting assignment
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description
================
CSRF in Tooltipy (tooltips for WP) could allow anybody to duplicate posts

Vulnerability
================
There is a CSRF vulnerability in Tooltipy’s “KTTG Converter” feature which allows anybody able to convince an admin to 
follow a link to duplicate posts. The PoC provided below allows duplicating every post with post_type post. The most 
obvious malicious use of this vulnerability would be to fill up a disk or database quota which might lead to denial of 
service or other issues.

Proof of concept
================
Open a page containing the following HTML, and click submit:
http://localhost/wp-admin/tools.php?page=my_keywords_settings_importer";>
Every post with post_type post will have been duplicated. In a real attack, the form can be made to autosubmit. Mitigations ================ Upgrade to version 5.1 or later. Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://advisories.dxw.com/disclosure/ Please contact us on security () dxw com to acknowledge this report if you received it via a third party (for example, plugins () wordpress org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2018-03-29: Discovered 2018-04-10: Reported to vendor via email (first attempt) 2018-04-30: Asked if they’d received the email, via Facebook private message (second attempt) 2018-05-03: Reported again via contact form (third attempt) 2018-05-18: Reported to plugins () wordpress org 2018-05-18: WordPress plugin team disabled downloads of the plugin 2018-05-21: Vendor reported a fix has been made for the bug (first contact from vendor) 2018-06-05: Updated version of plugin is now available for download on wordpress.org 2018-06-12: Advisory published Discovered by dxw: ================ Tom Adams Please visit advisories.dxw.com for more information. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/




  By Date  
     
  By Thread  

Current thread:

  • CSRF in Tooltipy (tooltips for WP) could allow anybody to duplicate posts (WordPress plugin) dxw Security (Jun 12)


Read Original
Author: