CVE-2022-40131: Cross-Site Request Forgery (CSRF) Vulnerability Found in a3rev Software Page View Count Plugin on WordPress Versions <= 2.5.5

A recently discovered Cross-Site Request Forgery (CSRF) vulnerability found in the a3rev Software Page View Count plugin, version 2.5.5 and earlier, has left countless WordPress sites at risk for potential attacks. CVE-2022-40131 enables malicious threat actors to reset plugin settings without the administrator's consent or knowledge, which can then be exploited for further malicious activity. This post aims to provide insights into the vulnerability, along with the necessary code snippet, relevant references, and exploit details.

Vulnerability Details

Affected Component: a3rev Software Page View Count Plugin on WordPress
Affected Versions: 2.5.5 and earlier
CVE ID: CVE-2022-40131
Severity: Medium

Technical Analysis

The CSRF vulnerability in the a3rev Software Page View Count plugin on WordPress can allow an attacker to trick an authenticated, unsuspecting site administrator into clicking a specially crafted link that subsequently resets the plugin settings. This setting reset can be detrimental, especially if the plugin is a critical part of the website's functionality.

The following code snippet demonstrates the vulnerable function within the plugin's PHP file

(add_action("wp_ajax_[...]_reset", "[...]_reset");

function[...]_reset() {
  global $wpdb, $[...];
  delete_option($[...]->settings_name);

  [...]_install();
  die();
}

As illustrated, the plugin does not validate a nonce or perform any access control checks, allowing an attacker to craft a link that triggers the reset functionality of the plugin. An attacker could leverage social engineering tactics to encourage an administrator to click on the malicious link and inadvertently reset the plugin settings.

An attacker crafts a malicious link that embeds the CSRF trigger.

2. The attacker sends the link to an authenticated site administrator via email or another form of communication.
3. The unsuspecting administrator clicks the link, unknowingly resetting the plugin settings on the target website.

Mitigation and Recommendations

Users of the a3rev Software Page View Count plugin on WordPress are advised to update immediately to version 2.5.6 or newer, which addresses the CSRF vulnerability.

Plugin changelog with the fix can be found here: Plugin Changelog

Besides updating the plugin, site administrators should also follow these best practices

1. Regularly assess their WordPress site, plugins, and themes to ensure that they are running the latest versions.
2. Implement strong, unique username-password combinations for every registered user on the website, especially administrators.

Original References and Further Information

1. CVE-2022-40131: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40131
2. a3rev Software Page View Count Plugin: https://wordpress.org/plugins/page-views-count/
3. The Importance of CSRF Protection: https://owasp.org/www-community/attacks/csrf
4. WordPress Best Security Practices: https://wordpress.org/support/article/hardening-wordpress/

Conclusion

CVE-2022-40131 poses a significant threat to WordPress websites running the a3rev Software Page View Count plugin, version 2.5.5 and earlier. By understanding the vulnerability's exploit details and potential consequences, site administrators can take proactive measures to secure their WordPress installations and prevent CSRF attacks. Updating the plugin and following best security practices can substantially reduce the risk associated with this vulnerability.

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/04/2022 17:22:00 UTC