Cross-site request forgery (CSRF) vulnerability in the Twitter LiveBlog plugin 1.1.2 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the mashtlb_twitter_username parameter in the twitter-liveblog.php page to wp-admin/options-general.php.
The Twitter LiveBlog plugin for WordPress is vulnerable to a Cross-Site Request Forgery (CSRF) attack, allowing attackers to hijack administrator accounts. This vulnerability, combined with Cross-Site Scripting (XSS), enables attackers to inject malicious JavaScript into the website, potentially leading to complete site compromise. Successful exploitation could result in data theft, defacement, or complete server takeover.
Step 1: Victim Logged In: The administrator is logged into the vulnerable WordPress site with the Twitter LiveBlog plugin installed.
Step 2: Attacker Crafting: The attacker crafts a malicious HTML page or email containing a hidden form or JavaScript code.
Step 3: Payload Delivery: The attacker tricks the administrator into visiting the malicious page or opening the malicious email. This could be through phishing, social engineering, or other means.
Step 4: CSRF Request: The malicious page automatically submits a POST request to wp-admin/options-general.php with the mashtlb_twitter_username parameter set to a value containing malicious JavaScript (XSS payload).
Step 5: Setting Modification: The WordPress site, due to the lack of CSRF protection, processes the request and updates the plugin's settings with the attacker-controlled value.
Step 6: XSS Execution: When the administrator views a page where the plugin displays the mashtlb_twitter_username, the malicious JavaScript is executed in the administrator's browser, within the context of the WordPress site.
Step 7: Site Compromise: The attacker's JavaScript can then perform various actions, such as stealing the administrator's session cookie, creating new administrator accounts, or injecting further malicious code to completely compromise the website.
The vulnerability stems from a failure to properly validate the origin of requests when updating the plugin's configuration settings. Specifically, the twitter-liveblog.php page, when accessed via a crafted request, does not verify the origin or use a CSRF token to prevent unauthorized modifications. The attacker leverages this to inject malicious JavaScript through the mashtlb_twitter_username parameter. This parameter is then used in the wp-admin/options-general.php page, which is vulnerable to XSS. The lack of proper input validation and the absence of CSRF protection allows an attacker to manipulate the plugin's settings, leading to the execution of arbitrary code within the context of an administrator's session. The root cause is a missing security check in the plugin's configuration update process, allowing for unauthorized modification of settings via a specially crafted request. The use of the mashtlb_twitter_username parameter, combined with the lack of CSRF protection, is the primary flaw.