IndieAuth WordPress Plugin Cross-Site Request Forgery Vulnerability Allowing Account Takeover

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the IndieAuth plugin for WordPress, affecting all versions through 4.5.4. The issue arises from a lack of nonce verification in the 'login_form_indieauth()' function and the authorization endpoint at wp-login.php?action=indieauth. This vulnerability enables unauthenticated attackers to trick logged-in users into approving OAuth authorization requests for applications controlled by the attacker. Once approved, the attacker can exchange the stolen authorization code for an access token, gaining access to the victim's account with the specified permissions (create, update, delete).

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, leading to unauthorized approval of OAuth authorization requests and subsequent account takeover via stolen OAuth tokens.

Reproduction

To reproduce this vulnerability, an attacker must craft a forged request that exploits the missing nonce verification in the IndieAuth plugin. This can be done by tricking a logged-in user into clicking a link or visiting a page that sends the forged request through the authorization endpoint at wp-login.php?action=indieauth. Once the request is approved, the attacker can intercept the authorization code and exchange it for an access token, gaining access to the user's account.

Remediation

No known patch is available for this vulnerability. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.