Headline
CVE-2021-4387: Multiple WordPress plugins fixed CSRF vulnerabilities (part 4).
The Opal Estate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.11. This is due to missing or incorrect nonce validation on the opalestate_set_feature_property() and opalestate_remove_feature_property() functions. This makes it possible for unauthenticated attackers to set and remove featured properties via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
This is the fourth part of our “Multiple WordPress plugins fixed CSRF vulnerabilities” saga. If you missed the previous episodes, you can click on the links below:
Multiple WordPress plugins fixed CSRF vulnerabilities (part 1).
Multiple WordPress plugins fixed CSRF vulnerabilities (part 2).
Multiple WordPress plugins fixed CSRF vulnerabilities (part 3).
Vulnerable Plugins
1. Slider Hero
Vulnerable version: 8.2.0 and below
Vulnerable nonce: qcld-slider-main.php#275
if ( isset( $_REQUEST[‘slider_hero_duplicate_nonce’] ) ) { if ( ! wp_verify_nonce( $_REQUEST[‘slider_hero_duplicate_nonce’], ‘slider_hero_duplicateslider_’ . $id ) ) { die( __( 'Security check failed’, ‘reslide’ ) ); } }
If $_REQUEST[‘slider_hero_duplicate_nonce’] isn’t set, the nonce won’t be checked.
2. Amministrazione Trasparente
Vulnerable version: 7.1 and below
Vulnerable nonce: redirector.php#L27
// verify this came from the our screen and with proper authorization, // because save_post can be triggered at other times if ( isset($_POST[‘aturlmeta_noncename’]) && !wp_verify_nonce( $_POST[‘aturlmeta_noncename’], plugin_basename(__FILE__) )) { return $post->ID; }
if $_POST[‘aturlmeta_noncename’] isn’t set, the nonce won’t be checked.
3. Vuukle
Vulnerable version: 3.4.31 and below
Vulnerable nonce: admin/partials/free-comments-for-wordpress-vuukle-admin-display.php#L57
if (isset($_POST[‘nonce’]) && !wp_verify_nonce(sanitize_key($_POST[‘nonce’]), $this->settings_name)) { // Input var okay wp_die(esc_html(‘Security check failed! Settings not saved.’)); }
If $_POST[‘nonce’] isn’t set, the nonce won’t be checked.
4. WP EasyPay
Vulnerable version: 3.2.0 and below
Vulnerable nonce: wpep_setup.php#L221
if ( ! isset($_POST[‘nonce’]) && ! wp_verify_nonce( sanitize_key($_POST[‘nonce’]), ‘nonce’ ) ) { die(‘access denied! Nonce not verify.’); }
If $_POST[‘nonce’] is set, the nonce won’t be checked.
5. Abandoned Cart Recovery for WooCommerce
Vulnerable version: 1.0.4 and below
Vulnerable nonce #1: includes/reports/abandoned-report-table.php#L166
if ( isset( $_GET[‘_wpnonce’] ) && ! wp_verify_nonce( wp_unslash( $_GET[‘_wpnonce’] ), ‘wacv-filter’ ) ) { return; }
If $_GET[‘_wpnonce’] isn’t set, the nonce won’t be checked.
Vulnerable nonce #2:abandoned-report-table.php#L341
if ( isset( $_GET[‘_wpnonce’] ) && ! wp_verify_nonce( wp_unslash( $_GET[‘_wpnonce’] ), ‘wacv-filter’ ) ) { return; }
Same as above.
6. Locations
Vulnerable version: 3.2.1 and below
Vulnerable nonce: gold-framework/gold-plugins-custom-post-type.php#L291
if ( isset($_POST[ ‘my-custom-fields_wpnonce’ ]) && !wp_verify_nonce( $_POST[ ‘my-custom-fields_wpnonce’ ], ‘my-custom-fields’ ) ){ return; }
If $_POST[ ‘my-custom-fields_wpnonce’ ] isn’t set, the nonce won’t be checked.
Recommendations
Make sure to update to the latest version if you are running any of the above-mentioned plugins. If you had some of the vulnerable plugins installed on your blog and were using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you have already been informed about those issues by email.
Stay informed about the latest vulnerabilities
- Running WordPress? You can get email notifications about vulnerabilities in the plugins or themes installed on your blog.
- On Twitter: @nintechnet