The Wordfence Threat Intelligence team responsibly disclosed two vulnerabilities in Nested Pages, a WordPress plugin installed on over 80,000 sites that provides drag and drop functionality to manage your page structure and post ordering.
These vulnerabilities included a Cross-Site Request Forgery vulnerability that allowed posts and pages to be deleted, unpublished or assigned to a different author in bulk, as well as a separate open redirect vulnerability.
Due to the nature of Cross-Site Request Forgery vulnerabilities, which involve tricking administrators into performing actions that they are allowed to perform, it is not possible to provide protection for these vulnerabilities without blocking legitimate requests. As such, it is strongly recommended to update to the latest patched version of Nested Pages to ensure your site is protected against exploits targeting these vulnerabilities.
The Nested Pages plugin allows site owners to manage page structure via drag and drop functionality. It also allows owners to perform actions on multiple pages at the same time, including bulk page deletion and modification of page metadata, including page author and publication status.
The plugin accomplished this via a pair of admin_post actions: npBulkActions and npBulkEdit. While most of the plugin’s actions included CSRF protection, these did not. The npBulkActions action could be used to trash or permanently delete any page on the site. While it would merely trash posts provided in the post_ids POST parameter, all of the post IDs passed to it via the redirect_post_ids POST parameter, intended to delete links, would be fully deleted.
The end result of this was that an attacker could trick an administrator into sending a request that could reassign pages to a different author, publish or unpublish them, or even permanently purge every single post and page from a site at once.
In addition to being usable for modifying pages on a site, the functions called by the npBulkActions and npBulkEdit actions also redirected users to the location provided in the page POST parameter after completing their changes.
In many cases, open redirects can be used to trick visitors into entering credentials on a phishing site by appearing to be a link to a trusted site and then redirecting them to a malicious site under an attacker’s control. In this case, the open redirect could also serve a secondary purpose. With most CSRF attacks, the victim lands on the page used to make the changes they were tricked into making, which could tip them off that something has gone wrong, especially if the changes are visible on the page. The ability to chain an open redirect to the CSRF attack makes it easier for an attacker to exploit the CSRF attack and redirect the victim to another page without immediately raising suspicion.
Additionally, there were 2 other admin_post actions, npListingSort and npCategoryFilter, which provided access to read-only functions and thus would not be likely targets of a CSRF attack, but could be used to perform an open redirect attack.
