search

TycheSoftwares / arconix-shortcodes

Arconix Shortcodes provides a number of useful design elements to compliment any website.
1 stars 2 forks source link

WordPress Arconix Shortcodes Plugin <= 2.1.9 is vulnerable to Broken Access Control #78

Closed Chetna1510 closed 7 months ago

Chetna1510 commented 8 months ago

We want to report a vulnerability discovered in Arconix Shortcodes WordPress plugin discovered by security researcher Dhabaleshwar Das. The original report is available here: https://patchstack.com/database/report-preview/8e2dd124-3b7c-48cc-b5b7-9ac428d3e0ef See the ticket to get PIN: https://support.tychesoftwares.com/conversation/216?folder_id=9

The "Arconix Shortcodes" plugin lacks proper nonce implementation for "shortcodes_admin_notices" action, exposing users to Cross-Site Request Forgery (CSRF) attacks. This vulnerability could allow an attacker to perform malicious actions on behalf of the authenticated user without their consent.

In the attached video PoC it is shown in detail.

1- First install the "Arconix Shortcodes" plugin and then activate it.

2- After activation, on top of the page you will see a an option, "Want to help make Arconix Shortcodes even more awesome? Allow .....". Click on the cross icon to dismiss it and capture the request in Burp, you can see that no nonce has been implemented for this action.

3- This improper validation of nonce causes CSRF attacks, wherein an attacker can forge a request to perform unauthorized actions on behalf of the user who is currently authenticated.

The crafted HTML request can be seen here:

Screenshots and video

image

https://github.com/TycheSoftwares/arconix-shortcodes/assets/15136179/39b0acb3-44b7-4162-947c-9bc2658f1568