Lack of CSRF Protection for AJAX Accessible Functions

[PluginVulnerabilities]

This plugin was selected by our customers to receive a basic security review from us. We found two relatively minor issues during that review.

First, a number of functions that are made available to users with the manage_options capability through WordPress' AJAX functionality lack cross-site request forgery (CSRF) protection:

if (current_user_can('manage_options')) {
    add_action('wp_ajax_crayon-ajax', 'CrayonWP::ajax');
    add_action('wp_ajax_crayon-theme-editor', 'CrayonThemeEditorWP::content');
    add_action('wp_ajax_crayon-theme-editor-save', 'CrayonThemeEditorWP::save');
    add_action('wp_ajax_crayon-theme-editor-delete', 'CrayonThemeEditorWP::delete');
    add_action('wp_ajax_crayon-theme-editor-duplicate', 'CrayonThemeEditorWP::duplicate');
    add_action('wp_ajax_crayon-theme-editor-submit', 'CrayonThemeEditorWP::submit');
    add_action('wp_ajax_crayon-show-posts', 'CrayonSettingsWP::show_posts');
    add_action('wp_ajax_crayon-show-langs', 'CrayonSettingsWP::show_langs');
    add_action('wp_ajax_crayon-show-preview', 'CrayonSettingsWP::show_preview');
}

The ones that look to be of concern are the theme editor functions, since they could, among other things, allow an attacker to cause a logged in Administrator to add arbitrary PHP code to a file on the website. The file would have a .css extension, so the code couldn't be run directly, but combined with a local file inclusion (LFI) vulnerability it could be.

Second many of the .php files in the plugin look like they are not intended to be accessed directly, but the files don't include code at the top of them to restrict direct access to them.