lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 10 Jun 2014 12:40:26 +0000
From: dxw Security <>
Subject: [FD] CSRF in Member Approval 131109 permits unapproved
	registrations (WordPress plugin)

Software: Member Approval
Version: 131109
Advisory ID: dxw-1970-1172
CVE: CVE-2014-3850
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

CSRF in Member Approval 131109 permits unapproved registrations

By convincing a logged-in administrator to visit a link of an attacker’s choosing an attacker can reset the plugin’s options to the defaults, meaning that registrations will become open to everybody without requiring approval.

Proof of concept
By clicking the submit button here, an admin will reset the plugin to the defaults (with some slight modifications there may be a stored XSS here too, but I did not investigate further):
<form method=\"post\" action=\"http://localhost/wp-admin/options-general.php?page=member-approval\">
  <input type=\"submit\">

Note: no admin action is necessary assuming the attacker can persuade an admin to visit a page under their control, as the form can be submitted using Javascript.

Disable the plugin until a fix is available.

Disclosure policy
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy:

Please contact us on to acknowledge this report if you received it via a third party (for example, as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.


2014-04-08: Discovered
2014-04-10: Reported to
2014-06-10: No response from author. Published.

Discovered by dxw:
Tom Adams

Discovered by dxw:
Tom Adams

Please visit for more information.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists