This CSRF vulnerability allows an attacker to change preset settings of the Shortcode Ultimate plugin. As most of the Shortcode Ultimate users don’t have access to the settings of the plugin, the settings change can be exploited by visitors of different sites that use the plugin. This CSRF vulnerability can be exploited by injecting malicious code into the URL of settings form in the plugin. In order to exploit this CSRF vulnerability, an attacker needs to craft a malicious URL that allows setting preset settings of the plugin. An example of such a malicious URL is: http://example.com/wp-admin/plugin-settings.php?key=KEY> An example of a setting form with a malicious URL would be:
An attacker could inject malicious code into the setting form via CSRF vulnerability. When a user visits the setting form on the website, the setting is submitted to the server where the attacker’s server-side script can change the preset settings. This is possible due to the fact that the Shortcode Ultimate plugin accepts the submitted setting values via POST request. Due to this vulnerability, an attacker can change the preset settings of the Shortcode Ultimate plugin easily. This can be done by changing the values of the Shortcode Presets setting. Any user can change the preset settings of the Shortcode Ultimate plugin easily by visiting the website with malicious URL
Proof of Concept
CSRF Bypass Using Shortcode Ultimate Plugin
A vulnerability in the Shortcode Ultimate plugin allows an attacker to change preset settings of the plugin. This vulnerability is a CSRF vulnerability that can be exploited via POST request. The attackers need to craft a malicious URL that allows setting preset settings of the plugin. This vulnerability can be further exploited by injecting malicious code into the URL of settings form on the website where the Shortcode Ultimate plugin is used.
CSRF Protection for Shortcode Ultimate Plugin
Shortcode Ultimate is a plugin that helps WordPress sites to use shortcodes. This plugin comes with many settings. For example, an administrator can set the number of rows that are shown in the setting form of Shortcode Ultimate. One of the settings that is vulnerable to CSRF attack is setting preset settings. As the vulnerability allows changing preset settings, it’s possible for an attacker to change those preset settings. To prevent this vulnerability from being exploited, a CSRF protection should be implemented by the WP administration panel on Shortcode Ultimate plugin settings form.
The CSRF protection for this vulnerability is as follows:
Timeline
Published on: 10/11/2022 20:15:00 UTC
Last modified on: 10/12/2022 17:22:00 UTC