Multiple cross-site request forgery (CSRF) vulnerabilities in the Simplelife plugin 1.2 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) simplehoverback, (2) simplehovertext, (3) flickrback, or (4) simple_flimit parameter in the simplelife.php page to wp-admin/options-general.php.
WordPress websites using the Simplelife plugin versions 1.2 and earlier are vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing attackers to hijack administrator sessions. This vulnerability enables attackers to inject malicious JavaScript through crafted requests, leading to complete site compromise and potential data theft or defacement.
Step 1: Victim Login: An administrator logs into the vulnerable WordPress website. Their session is authenticated.
Step 2: Attacker Crafting: The attacker crafts a malicious HTML page containing a hidden form. This form targets the wp-admin/options-general.php page with the Simplelife plugin's settings.
Step 3: Payload Injection: The attacker injects a malicious JavaScript payload into one of the vulnerable parameters (simplehoverback, simplehovertext, flickrback, or simple_flimit) within the hidden form. This payload will execute when the setting is saved.
Step 4: Social Engineering: The attacker lures the administrator to visit the malicious HTML page (e.g., via phishing, social media, or a compromised website).
Step 5: Form Submission (Silent): When the administrator's browser loads the attacker's page, the hidden form is automatically submitted (or triggered by a click). This submission occurs in the background without the administrator's knowledge.
Step 6: Setting Modification: The crafted request modifies the Simplelife plugin's settings, injecting the attacker's JavaScript payload.
Step 7: XSS Execution: When the administrator views a page where the Simplelife plugin is used, the injected JavaScript payload executes within their browser, due to the plugin's use of the modified settings. This allows the attacker to steal cookies, redirect the administrator, or perform other malicious actions.
The vulnerability stems from a lack of CSRF protection in the Simplelife plugin's handling of user-supplied input within the simplelife.php file, specifically when updating settings via the wp-admin/options-general.php page. The plugin fails to validate the origin of requests, allowing attackers to craft malicious forms that, when submitted by an authenticated administrator, modify plugin settings. This manipulation allows for the injection of XSS payloads through the simplehoverback, simplehovertext, flickrback, or simple_flimit parameters. The lack of proper input sanitization further exacerbates the issue, enabling the execution of arbitrary JavaScript code within the context of the administrator's session. The root cause is a missing CSRF token validation and inadequate input validation.