Security Vulnerability reported

Resolved grl570810
(@grl570810)

2 years, 10 months ago

Hi Shra,
Wordfence is flagging version 1.5.8 or older as vulnerable. Please confirm that you are aware of this and plan a fix ASAP.
TIA,
Graham

Viewing 15 replies - 1 through 15 (of 15 total)

Plugin Author shra
(@shra)

2 years, 10 months ago

Can you please share more info about the issue. As far as i know Wordfence doesn’t provide info about 3rd party plugins. If you can share screenshots or steps to reproduce what ever i need to check, you are welcome.

Thread Starter grl570810
(@grl570810)

2 years, 10 months ago

Hi @shra
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/inactive-user-deleter/inactive-user-deleter-158-cross-site-request-forgery-via-multiple-functions
If you need more details I suggest you reach out to the Wordfence support team.
Regards,
Graham

Anonymous User 20889438
(@anonymized-20889438)

2 years, 10 months ago

@shra,

This case isn’t only about the multiple CSRF issues, but about the Persistent XSS as well (confirmPeriod).

Plugin Author shra
(@shra)

2 years, 10 months ago

Thanks, guys, for a quick response! I will check how to fix these issues.

Plugin Author shra
(@shra)

2 years, 10 months ago

I’ve uploaded new version (1.59) with wp_nonce usage for all forms, hope you are happy now guys! 🙂

Anonymous User 20889438
(@anonymized-20889438)

2 years, 10 months ago

@shra, nice one!

But you forgot about the Persistent XSS in the confirmPeriod parameter.

Plugin Author shra
(@shra)

2 years, 10 months ago

Do you think the next code is not enough?

$confirmPeriod = $_POST[‘confirmPeriod’] <= 0 ? 1 : $_POST[‘confirmPeriod’] + 0;

In any case it will be converted to a number.

Hellnik
(@hellnik)

2 years, 10 months ago

PHP 8.0 Warning: Undefined array key “confirmPeriod” in
inactive-user-deleter\inactive-user-deleter.php on line 363
v1.59

The error occurs when deleting a user(without email notify).

Plugin Author shra
(@shra)

2 years, 10 months ago

Oh my god, guys, you are killing me 🙂 Ok, catch the next version 1.60!

Hellnik
(@hellnik)

2 years, 10 months ago

Thank you, shra) The plugin is interesting for me.

Anonymous User 20889438
(@anonymized-20889438)

2 years, 10 months ago

@shra, still exploitable:

Tips: sanitize input, escape output and don’t try to use HTML tag attributes for any kind of limitations, i.e.: maxlength.

Plugin Author shra
(@shra)

2 years, 10 months ago

In last update i rewrite it as next:

$confirmPeriod = (!isset($_POST[‘confirmPeriod’]) || $_POST[‘confirmPeriod’] <= 0) ? 1 : intval($_POST[‘confirmPeriod’]);

so as you see the value is filtered by intval func. You say “still exploitable”, could you share the exploit example, please?
Anonymous User 20889438
(@anonymized-20889438)

2 years, 10 months ago
@shra, here we go:
```
POST /wp-admin/users.php?page=inactive-user-deleter%2Finactive-user-deleter.php HTTP/2
Host: [redacted]
Cookie: [cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 291

op=misc&last-inform=0&_wpnonce=[redacted]&_wp_http_referer=[redacted]&informME=1&informPeriod=7&informUsersNumber=50&informUsers=1&confirmPeriod=7%22+onmouseover%3Dalert%28%29%3B%2F%2F+v%3D%22&confirmLetter=X&sbm=Save
```
Plugin Author shra
(@shra)

2 years, 10 months ago

Thank you, @fearzzzz! I found out what you meant. I hope now it is fixed. New version is uploaded (1.61)

Anonymous User 20889438
(@anonymized-20889438)

2 years, 10 months ago

@shra, good job! 🙂

Viewing 15 replies - 1 through 15 (of 15 total)

The topic ‘Security Vulnerability reported’ is closed to new replies.