Cross-site request forgery (CSRF) vulnerability in the PictoBrowser (pictobrowser-gallery) plugin 0.3.1 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the pictoBrowserFlickrUser parameter in the options-page.php page to wp-admin/options-general.php.
WordPress websites using the vulnerable PictoBrowser plugin are susceptible to a Cross-Site Request Forgery (CSRF) attack, allowing attackers to hijack administrator sessions. This enables attackers to inject malicious JavaScript through cross-site scripting (XSS), potentially leading to complete site compromise and data exfiltration.
Step 1: Victim Login: An administrator of a WordPress site with the vulnerable PictoBrowser plugin is logged in to their WordPress dashboard.
Step 2: Attack Vector: The attacker crafts a malicious link or embeds malicious code (e.g., in an email, a forum post, or a compromised website) that, when clicked or loaded, initiates a request to the vulnerable options-general.php page.
Step 3: CSRF Exploitation: The malicious request includes a crafted pictoBrowserFlickrUser parameter containing malicious JavaScript (XSS payload). Because the plugin lacks CSRF protection, the browser automatically sends the request with the administrator's session cookies.
Step 4: Payload Execution: The server processes the request, updating the plugin settings with the attacker-controlled JavaScript. When the administrator views any page where the plugin's settings are used, the malicious JavaScript executes in their browser.
Step 5: Privilege Escalation: The injected JavaScript executes with the administrator's privileges. The attacker can then perform actions like creating new administrator accounts, modifying website content, or stealing sensitive data.
The vulnerability stems from a combination of CSRF and XSS flaws within the PictoBrowser plugin. The plugin's options-page.php file fails to adequately validate requests, allowing attackers to craft malicious requests that modify plugin settings. Specifically, the pictoBrowserFlickrUser parameter in the options-general.php page is vulnerable. By manipulating this parameter, an attacker can inject arbitrary JavaScript code. Because the plugin lacks proper CSRF protection, an attacker can trick an authenticated administrator into submitting a crafted request. This injected JavaScript then executes within the administrator's browser, enabling the attacker to perform actions on behalf of the administrator, including modifying the website's content, installing backdoors, or stealing sensitive information. The root cause is a missing or inadequate implementation of CSRF tokens and insufficient input validation on the pictoBrowserFlickrUser parameter.