Multiple cross-site request forgery (CSRF) vulnerabilities in the Post to Twitter plugin 0.7 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) idptt_twitter_username or (2) idptt_tweet_prefix parameter to wp-admin/options-general.php.
WordPress websites using the Post to Twitter plugin versions 0.7 and earlier are vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to inject malicious JavaScript into the site. This can lead to complete site compromise, including administrator account takeover and potential data breaches, by manipulating plugin settings through crafted requests.
Step 1: Victim Login: An administrator of the vulnerable WordPress site is logged in to their account.
Step 2: Malicious Link/Request: The attacker crafts a malicious link or request. This could be embedded in an email, a compromised website, or a social engineering attack.
Step 3: Request Execution: The administrator clicks the malicious link or, unknowingly, has the request executed (e.g., via an image tag or a hidden form). This request targets the wp-admin/options-general.php page with the idptt_twitter_username or idptt_tweet_prefix parameters containing malicious JavaScript code.
Step 4: Plugin Configuration Modification: The request is processed by the WordPress site, and the Post to Twitter plugin's settings are updated. The malicious JavaScript is saved as part of the plugin's configuration.
Step 5: XSS Trigger: When the plugin interacts with Twitter or displays content on the website, the malicious JavaScript is executed in the administrator's browser, leading to XSS.
Step 6: Account Takeover/Compromise: The attacker's JavaScript can perform various actions, such as creating new administrator accounts, stealing cookies, or redirecting the administrator to a phishing site, effectively taking over the site.
The vulnerability stems from a lack of CSRF protection in the Post to Twitter plugin's options page (wp-admin/options-general.php). Specifically, the plugin fails to validate the origin of requests when updating settings related to the Twitter integration. Attackers can craft malicious requests that, when executed by a logged-in administrator, modify the plugin's configuration. This modification allows the attacker to inject arbitrary JavaScript code into the plugin's settings, which is then executed when the plugin interacts with Twitter or displays content on the website. The root cause is the absence of a nonce or other CSRF protection mechanism, allowing attackers to forge requests from a different origin. The plugin's code does not properly sanitize the idptt_twitter_username or idptt_tweet_prefix parameters, leading to XSS vulnerabilities.