Cross-site request forgery (CSRF) vulnerability in the WP Limit Posts Automatically plugin 0.7 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the lpa_post_letters parameter in the wp-limit-posts-automatically.php page to wp-admin/options-general.php.
Attackers can exploit a Cross-Site Request Forgery (CSRF) vulnerability in the WP Limit Posts Automatically WordPress plugin to hijack administrator accounts and inject malicious cross-site scripting (XSS) payloads. This allows for complete site compromise, including data theft, defacement, and potential server takeover. The vulnerability targets the plugin's handling of user input, enabling attackers to execute arbitrary code within the context of a logged-in administrator.
Step 1: Craft Malicious Link/Payload: The attacker crafts a malicious URL or HTML snippet containing a specially crafted lpa_post_letters parameter. This parameter contains a JavaScript payload designed to exploit the XSS vulnerability.
Step 2: Social Engineering/Delivery: The attacker uses social engineering techniques (e.g., phishing emails, malicious advertisements) to trick an administrator into clicking the malicious link or visiting a webpage containing the malicious HTML.
Step 3: CSRF Exploitation: When the administrator clicks the link or visits the webpage, the browser automatically sends the crafted request to wp-admin/options-general.php. Because the administrator is logged in and the plugin lacks CSRF protection, the request is processed as if it originated from the administrator.
Step 4: XSS Payload Execution: The plugin processes the lpa_post_letters parameter, which contains the XSS payload. The payload is then stored within the plugin's settings.
Step 5: Payload Trigger: When the administrator views a page that utilizes the plugin's settings, the XSS payload executes within the administrator's browser.
Step 6: Account Hijack/Site Compromise: The XSS payload allows the attacker to steal the administrator's session cookies, redirect the administrator to a phishing site, or execute other malicious actions, ultimately leading to complete site compromise.
The root cause lies in the WP Limit Posts Automatically plugin's failure to properly validate and sanitize user input, specifically the lpa_post_letters parameter, when processing requests in wp-admin/options-general.php. The plugin does not implement proper CSRF protection, such as using a unique nonce or verifying the origin of the request. This allows an attacker to craft a malicious request that, when executed by a logged-in administrator, modifies the plugin's settings. The attacker leverages this to inject XSS payloads through the lpa_post_letters parameter. When the administrator views a page containing the injected script, the malicious code executes within their browser, enabling the attacker to steal cookies, redirect users, or perform other malicious actions. The lack of input validation allows for the execution of arbitrary JavaScript code, leading to a complete compromise of the WordPress site.