Security Vulnerability reported

  • Resolved grl570810

    (@grl570810)


    1 year, 6 months ago

    Hi Shra,
    Wordfence is flagging version 1.5.8 or older as vulnerable. Please confirm that you are aware of this and plan a fix ASAP.
    TIA,
    Graham

Viewing 15 replies - 1 through 15 (of 15 total)
  • Plugin Author shra

    (@shra)

    Can you please share more info about the issue. As far as i know Wordfence?doesn’t provide info about 3rd party plugins. If you can share screenshots or steps to reproduce what ever i need to check, you are welcome.

    Thread Starter grl570810

    (@grl570810)

    Hi @shra
    https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/inactive-user-deleter/inactive-user-deleter-158-cross-site-request-forgery-via-multiple-functions
    If you need more details I suggest you reach out to the Wordfence support team.
    Regards,
    Graham

    Anonymous User 20889438

    (@anonymized-20889438)

    @shra,

    This case isn’t only about the multiple CSRF issues, but about the Persistent XSS as well (confirmPeriod).

    Plugin Author shra

    (@shra)

    Thanks, guys, for a quick response! I will check how to fix these issues.

    Plugin Author shra

    (@shra)

    I’ve uploaded new version (1.59) with wp_nonce usage for all forms, hope you are happy now guys! ??

    Anonymous User 20889438

    (@anonymized-20889438)

    @shra, nice one!

    But you forgot about the Persistent XSS in the confirmPeriod parameter.

    Plugin Author shra

    (@shra)

    Do you think the next code is not enough?

    $confirmPeriod = $_POST[‘confirmPeriod’] <= 0 ? 1 : $_POST[‘confirmPeriod’] + 0;

    In any case it will be converted to a number.

    PHP 8.0 Warning: Undefined array key “confirmPeriod” in
    inactive-user-deleter\inactive-user-deleter.php on line 363
    v1.59

    The error occurs when deleting a user(without email notify).

    Plugin Author shra

    (@shra)

    Oh my god, guys, you are killing me ?? Ok, catch the next version 1.60!

    Thank you, shra) The plugin is interesting for me.

    Anonymous User 20889438

    (@anonymized-20889438)

    @shra, still exploitable:

    Tips: sanitize input, escape output and don’t try to use HTML tag attributes for any kind of limitations, i.e.: maxlength.

    Plugin Author shra

    (@shra)

    In last update i rewrite it as next:

    $confirmPeriod = (!isset($_POST[‘confirmPeriod’]) || $_POST[‘confirmPeriod’] <= 0) ? 1 : intval($_POST[‘confirmPeriod’]);

    so as you see the value is filtered by intval func. You say “still exploitable”, could you share the exploit example, please?

    Anonymous User 20889438

    (@anonymized-20889438)

    @shra, here we go:

    POST /wp-admin/users.php?page=inactive-user-deleter%2Finactive-user-deleter.php HTTP/2
Host: [redacted]
Cookie: [cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 291

op=misc&last-inform=0&_wpnonce=[redacted]&_wp_http_referer=[redacted]&informME=1&informPeriod=7&informUsersNumber=50&informUsers=1&confirmPeriod=7%22+onmouseover%3Dalert%28%29%3B%2F%2F+v%3D%22&confirmLetter=X&sbm=Save
    Plugin Author shra

    (@shra)

    Thank you, @fearzzzz! I found out what you meant. I hope now it is fixed. New version is uploaded (1.61)

    Anonymous User 20889438

    (@anonymized-20889438)

    @shra, good job! ??

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘Security Vulnerability reported’ is closed to new replies.