The Fatal Error Notify WordPress plugin is a highly useful tool for website administrators, as it allows them to receive notifications about errors that occur on their site. However, a critical vulnerability was recently discovered in versions prior to 1.5.3 of the plugin, which allowed any authenticated user (including subscribers) to access the test_error AJAX action without proper authorisation and CSRF checks. This security loophole could be used to spam the admin email address with error messages and potentially cause other issues as a direct result of unauthorised access. This post will delve deeper into this vulnerability (CVE-2023-7202), its exploitation, and the ways to mitigate its impact.

Code Snippet

The vulnerability in the Fatal Error Notify WordPress plugin occurs in the test_error AJAX action, specifically when it is called without proper authorisation and CSRF checks in place. The flawed code snippet, which can be found in the plugin's PHP file, looks like this:

add_action('wp_ajax_fatal_error_notify_test', 'fatal_error_notify_test_error');
function fatal_error_notify_test_error() {
    $email = get_option('admin_email');
    $subject = 'Fatal Error Notify Test';
    $message = 'This is a test error message from the Fatal Error Notify plugin.';
    wp_mail($email, $subject, $message);
    echo 'success';
    wp_die();
}

As you can see from the code above, there is no check to ensure that the user calling the test_error AJAX action has the appropriate administrative privileges to do so.

Exploitation Details

Given the lack of authorisation and CSRF checks in the test_error AJAX action, an attacker could take advantage of this vulnerability to flood the admin email address with unwanted error messages. Such an attack could not only cause an annoyance for the site administrator but also potentially hinder their ability to respond to legitimate issues in a timely manner.

The issue can be exploited by any authenticated user with the 'Subscriber' role on the website, making it a low-barrier exploit for attackers who may have gained access to a low-level account. Moreover, the vulnerability is also exploitable via CSRF (Cross-Site Request Forgery), enabling attackers to trick authenticated users into executing unwanted actions on their behalf, such as sending spam emails.

Original References

The vulnerability in the Fatal Error Notify WordPress Plugin was initially reported by the WordPress Plugin Directory team. You can find the original report and discussion here:
- WordPress Plugin Directory - Fatal Error Notify

Mitigation

To protect your WordPress site from the potential security risks posed by this vulnerability, it is crucial that you update your Fatal Error Notify WordPress plugin to version 1.5.3 or later. Additionally, consider implementing two-factor authentication (2FA) for your users to hinder attackers' possibilities of gaining access to your site.

Furthermore, it is essential to practice proper website security hygiene, including keeping your plugins, themes, and WordPress core up-to-date, using strong passwords, and routinely checking for security vulnerabilities. By taking these steps, you can minimise the likelihood of falling victim to exploits such as CVE-2023-7202.

Conclusion

CVE-2023-7202 is a critical security vulnerability in the Fatal Error Notify WordPress plugin, which highlights the importance of regularly updating your website's plugins and themes and keeping an eye on security announcements. By staying vigilant and adhering to best security practices, you can safeguard your site against a range of threats and ensure a secure online experience for your users.

Timeline

Published on: 02/27/2024 09:15:37 UTC
Last modified on: 02/27/2024 14:20:06 UTC