CVE-2023-37996: Critical Cross-Site Request Forgery (CSRF) vulnerability discovered in GTmetrix for WordPress plugin <= .4.7 versions

Security researchers have discovered a critical Cross-Site Request Forgery (CSRF) vulnerability in the GTmetrix for WordPress plugin (<= .4.7 versions). This vulnerability can be exploited by malicious attackers to perform unauthorized actions on vulnerable WordPress sites using GTmetrix. This post aims to provide a detailed overview of the issue, including code snippets, links to original references, and information about potential exploits.

What is GTmetrix for WordPress plugin?
GTmetrix for WordPress is a popular plugin that integrates the GTmetrix API into your WordPress site. This allows you to calculate website performance scores, analyze key metrics, and implement optimization strategies directly from your WordPress dashboard. Currently, the GTmetrix for WordPress plugin is installed on over 10,000 sites worldwide.

Vulnerability Details

The Cross-Site Request Forgery (CSRF) vulnerability found in GTmetrix for WordPress plugin versions <= .4.7 allows a potential attacker to forge HTTP requests on behalf of an authenticated user without their consent. This can lead to unauthorized actions, such as modifying plugin settings, deleting performance reports, or creating new API keys.

To exploit this vulnerability, an attacker can craft a malicious link or embed code on a website that, when clicked or executed by the targeted user, performs unauthorized actions on their behalf. The attacker would need to trick the user into clicking the link or visiting the malicious website while they are logged into their WordPress site.

Here's an example of a forged HTTP request

<form action="http://your-vulnerable-site.com/wp-admin/admin.php?page=gtmetrix"; method="post" enctype="multipart/form-data">
  <input type="hidden" name="gtmetrix_api_key" value="fake_api_key" />
  <input type="hidden" name="gtmetrix_username" value="fake_username" />
  <input type="hidden" name="submit" value="1" />
  <input type="submit" value="Submit" />
</form>

The above code creates a form that sends a POST request to the GTmetrix for WordPress settings page, changing the API key and username without the user's consent.

Original References

The vulnerability was initially reported by security researchers from WPScan, with a detailed report available here:
- WPScan Vulnerability Database

Mitigation and Solution

The developers of GTmetrix for WordPress have been notified and have promptly released a patched version, .4.8, which resolves this issue. It is highly recommended for all users of the plugin to update their installations to the latest version as soon as possible. You can download the latest version here.

In addition, as a general best practice, users should always maintain a strong and unique password for their WordPress accounts and be cautious when clicking on links or visiting unfamiliar websites.

Conclusion

The discovery of this CSRF vulnerability (CVE-2023-37996) in GTmetrix for WordPress plugin (<= .4.7 versions) highlights the importance of timely patching and security awareness for both developers and users alike. By closely monitoring security updates and reports, as well as taking immediate action to patch and resolve issues, the risk of falling victim to attacks can be significantly reduced. Remember, always keep your plugins up to date and practice safe browsing habits to minimize the risk of exploitation.

Timeline

Published on: 10/03/2023 10:15:10 UTC
Last modified on: 10/04/2023 17:13:22 UTC