[wp-trac] [WordPress Trac] #57451: Cross Site Request Forgery on Admin of any wordpress site to export files

WordPress Trac noreply at wordpress.org
Thu Jan 12 13:13:25 UTC 2023 

#57451: Cross Site Request Forgery on Admin of any wordpress site to export files
----------------------------+-----------------------------
 Reporter:  f41z4n          |      Owner:  (none)
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  General         |    Version:  6.1.1
 Severity:  major           |   Keywords:  needs-patch
  Focuses:  administration  |
----------------------------+-----------------------------
 [Marked as No Impact By WordPress Hackerone Team]

 Cross-Site Request Forgery (CSRF) is an attack that forces an end user to
 execute unwanted actions on a web application in which they’re currently
 authenticated. With a little help of social engineering (such as sending a
 link via email or chat), an attacker may trick the users of a web
 application into executing actions of the attacker’s choosing
 Steps To Reproduce:

 1. Login to WordPress Backend as an Admin
 2. Go-to Tools > Export> Select what to export
 3. Select the Data you want to export. Capture this request using a web-
 proxy like BurpSuite
 4. Since this is a GET request, Copy the URL to which request is made.
 5. Send this URL to another admin or user with equal rights.
 6. When he clicks on the URL, he shall download the file automatically.

 The endpoint vulnerable:
 http://<your_wp.com>/wp-
 admin/export.php?download=true&content=all&cat=0&post_author=2&post_start_date=0&post_end_date=0&post_status=0&page_author=0&page_start_date=0&page_end_date=0&page_status=0&attachment_start_date=0&attachment_end_date=0&submit=Download+Export+File

 Recommendations
 Enforce CSRF protection like wpNonce Token for file export endpoint.

 Impact
 Unauthorised File Download on an administrator's PC
 An attacker can write a script which sends 100s of GET requests at once to
 the endpoint, and share the script to another user, and when he donwloads
 100 files at once, it shall also consume his disk space

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/57451>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list