CVE-2024-0203 - Digits WordPress Plugin Cross-Site Request Forgery Vulnerability Up To Version 8.4.1: Exploits and Mitigations

Security breaches are never pleasant, and website administrators or owners must always keep an eye open for possible vulnerabilities in the software they use. Here, I would like to draw your attention to the Digits plugin for WordPress, which has a critical vulnerability related to Cross-Site Request Forgery in versions up to, and including, 8.4.1.

In this post, I will provide an overview of this vulnerability (CVE-2024-0203), the relevant code snippet, reference links to the original source, and exploit details. Additionally, I'll discuss the required actions to mitigate the risk arising from this vulnerability.

Vulnerability Overview

CVE-2024-0203 pertains to a vulnerability in the Digits plugin for WordPress, which is a popular plugin that allows users to sign up and log in with their phone numbers, rather than using a traditional username/password approach. The identified vulnerability is related to Cross-Site Request Forgery (CSRF), which allows for unauthorized modifications to settings and elevates user privileges.

The vulnerability arises from the absence of nonce validation in Digits' 'digits_save_settings' function, which, when exploited, enables hackers to modify the default role of registered users. To exploit this vulnerability, the attacker must trick a site administrator into clicking a malicious link and performing an action, upon which an unauthorized role elevation will occur.

Code Snippet

Below is the problematic code within the 'digits_save_settings' function, in which the missing nonce check poses the CSRF vulnerability:

function digits_save_settings() {
    global $wpdb;
    include(ABSPATH . "wp-includes/pluggable.php");

    $form = $_POST;
    $option = get_option('digits_settings');
    $changed = false;

    // Code...
}
add_action('wp_ajax_digits_save_settings', 'digits_save_settings');

To secure this function, the developer should include nonce checks, like this

function digits_save_settings() {
    global $wpdb;
    include(ABSPATH . "wp-includes/pluggable.php");

    // Check nonce and verify request
    check_ajax_referer('digits_save_nonce', 'security');

    $form = $_POST;
    $option = get_option('digits_settings');
    $changed = false;

    // Code...
}
add_action('wp_ajax_digits_save_settings', 'digits_save_settings');

Exploit Details

As mentioned above, the attacker must first devise a way to deceive the site administrator into performing an action such as clicking a malicious link, which will then trigger the CSRF vulnerability. This may entail crafting a convincing email or some other form of social engineering.

For detailed exploit information, please refer to the original source at https://wordpress.org/plugins/digits/.

Apply nonce checks as shown in the code snippet above

3. Educate site administrators about CSRF attacks and encourage them to be cautious before clicking any link, regardless of the source.

Conclusion

CVE-2024-0203 is a significant security concern for websites using the Digits plugin for WordPress up to, and including, version 8.4.1. Addressing this vulnerability should be prioritized to prevent unauthorized role escalation and subsequent misuse of your WordPress site.

Timeline

Published on: 03/07/2024 20:15:50 UTC
Last modified on: 03/08/2024 14:02:57 UTC