Multiple cross-site request forgery (CSRF) vulnerabilities in the SimpleFlickr plugin 3.0.3 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) simpleflickr_width, (2) simpleflickr_bgcolor, or (3) simpleflickr_xmldatapath parameter in the simpleFlickr.php page to wp-admin/options-general.php.
SimpleFlickr plugin versions 3.0.3 and earlier for WordPress are vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing attackers to hijack administrator sessions. This vulnerability enables attackers to inject malicious JavaScript code (XSS) into the WordPress site, potentially leading to complete site compromise and data theft. Successful exploitation allows attackers to modify site settings and gain full control.
Step 1: Craft Malicious Payload: The attacker crafts a malicious HTML page or email containing a hidden form or JavaScript code. This payload targets the wp-admin/options-general.php page with a request to modify SimpleFlickr settings.
Step 2: Social Engineering: The attacker lures an authenticated WordPress administrator to visit the malicious page or open the malicious email. This could involve phishing, social media, or other techniques.
Step 3: CSRF Attack Execution: When the administrator's browser loads the malicious page, the hidden form is automatically submitted, or the JavaScript code executes. This sends a request to wp-admin/options-general.php with the attacker-controlled parameters (e.g., simpleflickr_xmldatapath set to a URL pointing to a malicious JavaScript file).
Step 4: XSS Injection: The WordPress site, due to the lack of CSRF protection, processes the malicious request. The attacker-controlled parameters are saved in the plugin's settings. When the plugin is used, the malicious JavaScript is executed in the administrator's browser.
Step 5: Site Compromise: The injected JavaScript can perform a variety of actions, such as stealing the administrator's session cookie, creating new administrator accounts, defacing the website, or redirecting users to phishing sites. This leads to complete site compromise.
The vulnerability stems from a lack of CSRF protection in the SimpleFlickr plugin's settings update functionality. Specifically, the plugin fails to validate the origin of requests when updating settings through the wp-admin/options-general.php page. This allows attackers to craft malicious requests that, when executed by an authenticated administrator, modify the plugin's configuration. The parameters simpleflickr_width, simpleflickr_bgcolor, and simpleflickr_xmldatapath are particularly vulnerable as they control settings that can be manipulated to inject malicious JavaScript. The root cause is a missing or inadequate implementation of CSRF tokens or other origin verification mechanisms. The plugin trusts all requests, regardless of their origin, when updating its settings.