Widget Logic <= 5.9.0 - CSRF to RCE



Description
Widget Logic provides a comfortable way to dynamically toggle widget visibility with custom PHP code. By eval'ing the logic registered for each widget, the plugin determines if it should be shown or not. Due to a nested CSRF vulnerability, attackers are able to make administrators add malicious code to custom sidebar widgets registered with wp_register_sidebar_widget. This results in a Remote Code Execution.

Detailed analysis: https://dannewitz.ninja/posts/widget-logic-csrf-to-rce
Fixed in version 5.10.2: https://plugins.trac.wordpress.org/changeset/2112753/widget-logic

Affects Plugin

fixed in version 5.10.2

References

CVE 2019-12826
URL https://dannewitz.ninja/posts/widget-logic-csrf-to-rce
URL https://plugins.trac.wordpress.org/changeset/2112753/widget-logic

Classification

Type MULTI

Miscellaneous

Original Researcher Paul Dannewitz
Submitter Paul Dannewitz
Submitter Website https://dannewitz.ninja
Submitter Twitter padannewitz
Views 2129
Verified No
WPVDB ID 9403

Timeline

Publicly Published 2019-06-28 (5 months ago)
Added 2019-06-28 (5 months ago)
Last Updated 2019-06-28 (5 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin