Details ================ Software: Like Button Rating ♥ LikeBtn Version: 2.5.3 Homepage: https://ift.tt/1sqIK9v Advisory report: https://ift.tt/2uYdrcu CVE: Awaiting assignment CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:P/A:N) Description ================ Like Button Rating ♥ LikeBtn allows anybody to set any option Vulnerability ================ In the init action, this plugin checks to see if $_POST[\'likebtn_import_config\'] is empty. If it’s not empty then it base64-decodes the string, parses it as JSON, and starts changing options. Proof of concept ================ The below form will set the “Site Title” option to “Temmie”:
This works whether you’re logged in or not. The base64-encoded JSON above is this: { \"likebtn_settings_options\": { \"blogname\": \"Temmie\" } } Mitigations ================ Upgrade to version 2.5.4 or later. Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://ift.tt/1B6NWzd Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2017-10-27: Discovered 2017-11-02: Reported to vendor via email 2017-11-02: Vendor reported fixed Discovered by dxw: ================ Tom Adams Please visit security.dxw.com for more information.
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment