CVE-2022-1618 Vulnerability Explained: Coru LFMember WordPress Plugin through 1..2 XSS issue with Missing CSRF Protection

The security community has recently discovered a vulnerability, CVE-2022-1618, in the Coru LFMember WordPress Plugin through version 1..2. This vulnerability exposes numerous websites using the plugin to Cross-Site Scripting (XSS) attacks and leaves them unprotected against Cross-Site Request Forgery (CSRF) attempts. This post aims to explain the details of this vulnerability, including a code snippet demonstrating the issue and links to original references for further information.

Vulnerability Overview

Coru LFMember is a popular WordPress plugin that allows websites to manage games and tournaments for their members. However, the plugin's developers failed to implement CSRF checks when adding new games and failed to sanitize or escape their settings. This issue allows an attacker to exploit the vulnerability and make a logged-in admin add an arbitrary game with an XSS payload, potentially compromising the website's security and its users.

Recognizing the vulnerability, experts assigned it a Common Vulnerability and Exposure (CVE) identifier, CVE-2022-1618.

Code Snippet Demonstrating the Issue

The following code snippet demonstrates the lack of CSRF protection and sanitization when adding a game in the Coru LFMember WordPress plugin:

// In lfmember.php
if ($_POST['action'] == 'add_game') {
    // No CSRF check

    $name = $_POST['game_name']; // No sanitization
    $description = $_POST['game_description']; // No sanitization

    // Insert game into database with unsanitized values
    $wpdb->insert('games', array(
        'name' => $name,
        'description' => $description
    ));
}

As shown in the example above, there is no CSRF check present when adding a new game. In addition, the user input data ($_POST['game_name'] and $_POST['game_description']) are not sanitized or escaped, allowing an attacker to inject XSS payloads freely.

Exploit Details

An attacker can exploit this vulnerability by crafting a malicious payload and tricking a logged-in admin to visit a webpage containing the payload. An example of an exploit could be:

<!-- Malicious webpage example -->
<form action="https://example.com/wp-admin/admin-post.php?action=add_game"; method="post">
    <input type="hidden" name="game_name" value="<script>alert('XSS')</script>">
    <input type="hidden" name="game_description" value="Exploiting the vulnerability">
    <input type="submit" value="Click here to exploit the vulnerability">
</form>

When the admin clicks the submit button, the browser will send a request to the vulnerable website, adding a new game with the attacker's injected XSS payload. This payload will then run on the website, potentially compromising security and user data.

For more details about this vulnerability, please refer to the following resources

1. CVE-2022-1618 official description on NIST's National Vulnerability Database
2. Coru LFMember WordPress plugin official page

Conclusion

The CVE-2022-1618 vulnerability in the Coru LFMember WordPress Plugin through version 1..2 poses a significant security risk to websites using the plugin. The absence of CSRF protection and sanitization/escaping allows an attacker to inject XSS payloads and potentially compromise site security and user data. It is essential for developers to fix the vulnerability, and for users to update their plugin to a secure version as soon as available.

Timeline

Published on: 01/16/2024 16:15:09 UTC
Last modified on: 01/24/2024 13:37:31 UTC