WordPress Nonce Vulnerabilities

Quick Page/Post Redirect Plugin: A Case Study Quick Page/Post Redirect Plugin has 200,000+ active installs, with version 5.1.5 and older vulnerable to an attacker setting redirects to any URLs in bulk. And why? All because the developer thinks a 5-byte WordPress Nonce will stop the bulk redirect import functionality from running. Newsflash: It won’t… Since this particular instance of the vulnerability has been patched, let’s look at how a hole can be poked in code that relies on Nonces to provide “security”. In a blatantly unfortunate way, with disregard for best practices (a series of rants left for another day), the developer decided to allow importing of a bulk redirects export file from any page on the site by hooking their ppr_parse_request_new function against the init hook, which happens to run pretty much anytime WordPress does anything. add_action( 'init', array( $this, 'ppr_parse_request_new' ) ); So to get execution of the function we merely load up any page. Cool. The next step is to satisfy the following condition: elseif( isset( $_POST['import-quick-redrects-file'] ) && isset( $_FILES['qppr_file'] ) ) Easy. And thus, we, as an unauthenticated attacker, meet up against #wordpress #smallbusiness #entrepreneur

https://managewp.org/articles/11576/wordpress-nonce-vulnerabilities