Multiple cross-site request forgery (CSRF) vulnerabilities in the Wp Unique Article Header Image plugin 1.0 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) gt_default_header or (2) gt_homepage_header parameter in the wp-unique-header.php page to wp-admin/options-general.php.
Attackers can exploit multiple Cross-Site Request Forgery (CSRF) vulnerabilities in the Wp Unique Article Header Image plugin for WordPress to hijack administrator accounts and execute cross-site scripting (XSS) attacks. This allows for complete site compromise, including data theft and defacement. This vulnerability is particularly dangerous due to its potential for remote code execution and persistent access.
Step 1: Craft Malicious Payload: The attacker crafts a malicious URL or HTML snippet containing a request to wp-admin/options-general.php. This request includes the gt_default_header or gt_homepage_header parameter, set to a URL pointing to a malicious JavaScript payload. This payload is designed to execute arbitrary code within the context of the WordPress site.
Step 2: Social Engineering (CSRF): The attacker uses social engineering techniques (e.g., phishing, malicious links) to trick an authenticated WordPress administrator into visiting a page containing the malicious URL or HTML. This could be a link in an email, a comment on a blog post, or a compromised website.
Step 3: Request Execution (CSRF): When the administrator's browser loads the malicious URL or HTML, the browser automatically sends the crafted request to the WordPress site. Because the administrator is authenticated, the request is processed as if it originated from the administrator. The lack of CSRF protection allows this request to be processed.
Step 4: XSS Injection: The WordPress site processes the request, updating the header image settings with the attacker-controlled URL. This URL now points to the malicious JavaScript.
Step 5: Code Execution: When a user visits the WordPress site, the malicious JavaScript is loaded and executed in their browser due to the XSS vulnerability. This allows the attacker to steal cookies, redirect users, or perform other malicious actions, potentially leading to complete site compromise.
The vulnerability stems from a failure to properly validate and sanitize user input when handling the gt_default_header and gt_homepage_header parameters within the wp-unique-header.php file. The plugin allows these parameters, which are intended for setting header image URLs, to be manipulated via a CSRF attack. Because the plugin doesn't implement proper CSRF protection (e.g., using a nonce or verifying the origin of the request), an attacker can craft a malicious request that, when executed by an authenticated administrator, injects malicious JavaScript code into the site's header settings. This injected code then executes in the context of any user visiting the site, leading to XSS. The root cause is a lack of input validation and CSRF protection, allowing for arbitrary code execution.