ByREV WP-PICShield - Cross-Site Request Forgery (CSRF)



Description
The ByREV WP-PICShield WordPress plugin is vulnerable to CSRF.

When updating the plugin options, several parameters in the issued POST request are written directly to the .htaccess file within the WordPress root directory. An attacker may be able to insert arbitrary lines into the .htaccess file, reconfiguring it to redirect to another website or other malicious actions.

While all plugin options can be updated by an attacker via CSRF, the following parameter values are directly inserted into .htaccess:
byhln[gtfo_key]
byhln[images_extension]
byhln[allowed_domains]
byhln[allowed_user_agents]
byhln[allowed_remote_ip]

The attached PoC demonstrates a CSRF payload which rewrites the victim's .htaccess file to redirect to an attacker-controlled website.
Proof of Concept The PoC will be displayed on August 05, 2019, to give users the time to update.

Affects Plugin

References

URL http://wp-picshield.com/

Classification

Type CSRF
OWASP Top 10 A8: Cross-Site Request Forgery (CSRF)
CWE CWE-352

Miscellaneous

Submitter Zachary Julian
Submitter Website http://www.zjulian.com/
Submitter Twitter @tprime_
Views 3825
Verified No
WPVDB ID 8738

Timeline

Publicly Published 2017-01-04 (over 2 years ago)
Added 2017-02-22 (over 2 years ago)
Last Updated 2019-07-22 (about 9 hours ago)