Opened 12 days ago
Last modified 5 days ago
#65562 new defect (bug)
CSRF in wp-signup.php allows logged-in users to be forced to create another site
| Reported by: | yaghoot | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Awaiting Review |
| Component: | Networks and Sites | Version: | trunk |
| Severity: | normal | Keywords: | has-patch has-unit-tests |
| Cc: | Focuses: | multisite |
Description
## Problem
On multisite installations where site registration is enabled (registration option is blog or all), a logged-in user can be tricked into creating a new site via a cross-site POST request to wp-signup.php.
The "create another site" flow (signup_another_blog() → validate_another_blog_signup() → wpmu_create_blog()) does not use a nonce. Unlike most state-changing admin actions in WordPress, this logged-in POST handler has no CSRF protection.
## Steps to reproduce
- Set up a multisite network with site registration enabled (Settings → Network Settings → Registration Settings → "User accounts may be registered" or "Both user and site accounts…").
- Log in as a regular user who is allowed to create sites.
- From an external origin, submit a POST form to
https://example.com/wp-signup.php:
`html
<form action="https://example.com/wp-signup.php" method="POST">
<input type="hidden" name="stage" value="gimmeanotherblog" />
<input type="hidden" name="blogname" value="evil-site" />
<input type="hidden" name="blog_title" value="Unwanted Site" />
<input type="hidden" name="blog_public" value="1" />
</form>
<script>document.forms[0].submit();</script>
`
- A new site is created under the victim's account without their consent.
## Impact
- Unwanted sites created on behalf of logged-in users
- Potential abuse for phishing, spam, or quota exhaustion
- Sites are created immediately via wpmu_create_blog(), not held for email activation
## Proposed fix
- Add wp_nonce_field( 'add-another-blog' ) to the form in signup_another_blog().
- Add check_admin_referer( 'add-another-blog' ) at the start of validate_another_blog_signup(), after the logged-in check and before wpmu_create_blog().
Scope is intentionally limited to the logged-in "create another site" path. Public user/site registration flows are unchanged.
Change History (2)
This ticket was mentioned in PR #12363 on WordPress/wordpress-develop by @yaghoot.
12 days ago
#1
- Keywords has-patch has-unit-tests added
![(please configure the [header_logo] section in trac.ini)](/chrome/site/your_project_logo.png)
https://core.trac.wordpress.org/ticket/65562
Adds nonce protection to the logged-in "create another site" flow in
wp-signup.php:wp_nonce_field( 'add-another-blog' )insignup_another_blog()check_admin_referer( 'add-another-blog' )invalidate_another_blog_signup()beforewpmu_create_blog()Without this, a logged-in multisite user could be forced to create a site via a cross-site POST when site registration is enabled.
Adds PHPUnit tests in
tests/phpunit/tests/multisite/wpSignupAnotherBlogNonce.php.