CVE-2023-5383 - Funnelforms Free WordPress Plugin 3.4 Vulnerable to Cross-Site Request Forgery (CSRF)

---

Introduction

The Funnelforms Free plugin for WordPress - an essential tool for managing online forms - has a security vulnerability in versions up to and including 3.4: it is prone to Cross-Site Request Forgery (CSRF) attacks. This vulnerability revolves around the misuse or lack of nonce validation in the fnsf_copy_posts function. This post will delve into the vulnerability, explaining the CVE-2023-5383 vulnerability, presenting code snippets that demonstrate the issue, and discussing how attackers can exploit this weakness.

Vulnerability Details

The Funnelforms Free plugin does not properly handle nonce validation in the fnsf_copy_posts function. Nonces, or "numbers used only once," serve as unique tokens that help secure HTTP requests by ensuring that unauthenticated and untrusted sources cannot access restricted content. In other words, they help protect against CSRF attacks, which trick users into executing malicious actions they do not intend to perform.

Here is a code snippet illustrating the problem in the fnsf_copy_posts function

/**/	function fnsf_copy_posts() {
global $wpdb;
$table_name = $wpdb->prefix . 'fnsf_post_copies';

$post_id = $_REQUEST['post_id'];
$new_title = $_REQUEST['new_title'];

	$nonce = sanitize_text_field( $_REQUEST['_wpnonce'] );
	if ( ! wp_verify_nonce( $nonce ) ) {
		die( 'Nonce value cannot be verified.' );
	}

The issue arises from the fact that the nonce is not properly validated. This allows unauthenticated attackers to forge requests and create new copies of arbitrary posts—so long as they can trick a site administrator into clicking a malicious link.

Exploit Explanation

To exploit this vulnerability, an attacker would craft a custom URL containing a malicious CSRF payload and trick a website administrator into clicking on it. For instance, they could send the URL via email, embed it in a forum post, or make it part of a comment. Upon clicking the URL, the administrator would unwittingly execute the attacker's desired action.

A successful CSRF attack could allow the attacker to create and modify posts or perform other unauthorized actions on the WordPress site.

Here is a sample CSRF payload

https://example.com/wp-admin/admin-post.php?post_id=100&new_title=Hacked%20Post&_wpnonce=123456&action=fnsf_copy_posts

Mitigation and Vendor Response

WordPress users can protect themselves by updating to Funnelforms Free plugin version 3.5 or later, which addresses this CSRF vulnerability. In addition, site administrators should exercise caution when clicking on unfamiliar links or engaging with suspicious content.

Official Patch Info and References

1. Funnelforms Free plugin - Official Download
2. WordPress Security - Nonce Usage
3. Common Vulnerabilities and Exposures - CVE-2023-5383

Conclusion

The Funnelforms Free plugin for WordPress - versions up to and including 3.4 - is susceptible to CSRF attacks resulting from improper nonce validation in the fnsf_copy_posts function. Attackers could exploit this vulnerability by tricking a site administrator into clicking a malicious link, allowing them to create new copies of arbitrary posts or perform other unauthorized actions on the website. To mitigate this risk, users should update to Funnelforms Free version 3.5 or later and be cautious when clicking on unfamiliar links.

Timeline

Published on: 11/22/2023 16:15:11 UTC
Last modified on: 11/27/2023 20:12:46 UTC