Multiple cross-site request forgery (CSRF) vulnerabilities in the PWGRandom plugin 1.11 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) pwgrandom_title or (2) pwgrandom_category parameter in the pwgrandom page to wp-admin/options-general.php.
Administrators of WordPress sites using the PWGRandom plugin are vulnerable to cross-site request forgery (CSRF) attacks, allowing attackers to inject malicious JavaScript and potentially take complete control of the website. This vulnerability, combined with cross-site scripting (XSS), enables attackers to compromise the site's functionality and steal sensitive information. The plugin's failure to properly validate user input allows for the injection of malicious code through the pwgrandom_title or pwgrandom_category parameters.
Step 1: Craft Malicious Payload: The attacker crafts a malicious URL containing a JavaScript payload within the pwgrandom_title or pwgrandom_category parameter. This payload is designed to execute arbitrary code within the context of the administrator's browser.
Step 2: Social Engineering: The attacker uses social engineering techniques (e.g., phishing emails, malicious links) to trick an authenticated administrator into visiting a webpage containing the crafted malicious URL. This could be a link embedded in an email or a hidden iframe on a compromised website.
Step 3: CSRF Exploitation: When the administrator's browser loads the malicious URL, the browser automatically sends a request to wp-admin/options-general.php with the attacker's crafted payload. Because the plugin lacks CSRF protection, the request is processed as if it originated from the administrator.
Step 4: XSS Execution: The plugin processes the request, storing the attacker's JavaScript payload within the database. When the affected page is rendered, the attacker's JavaScript payload is executed within the administrator's browser, allowing the attacker to perform actions as the administrator, such as modifying the site's content, installing malicious plugins, or stealing sensitive information.
The vulnerability stems from insufficient input validation and CSRF protection within the PWGRandom plugin. Specifically, the plugin's wp-admin/options-general.php page, which handles configuration options, fails to adequately sanitize user-supplied data submitted through the pwgrandom_title and pwgrandom_category parameters. This allows an attacker to craft a malicious request containing JavaScript payloads. Because the plugin lacks CSRF protection, an attacker can trick an authenticated administrator into submitting this malicious request, leading to the execution of the attacker's JavaScript within the administrator's browser. This effectively allows the attacker to modify the site's settings, inject persistent XSS payloads, or potentially gain complete control over the WordPress installation. The root cause is a missing or inadequate implementation of CSRF tokens and input sanitization, allowing for the injection of arbitrary HTML/JavaScript code.