WordPress is one of the most widely used content management systems worldwide, powering millions of websites. Plugins, such as WPForms, enhance the functionality of these sites. However, plugins can also introduce vulnerabilities if not properly developed or maintained. In this long read post, we will delve into a recently discovered vulnerability in the popular plugin WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More.
Details
CVE Identifier: CVE-2024-10593
Affected Plugin: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
Affected Versions: All versions up to, and including, 1.9.1.6
Exploit Type: Cross-Site Request Forgery (CSRF)
Impact: Unauthenticated attackers can delete WPForm logs via a forged request.
The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 1.9.1.6. This is due to missing or incorrect nonce validation on the process_admin_ui function.
Original References:
1. CVE-2024-10593
2. WPForms Release Notes
Exploit Details
The vulnerable process_admin_ui function is missing the proper nonce validation, which allows unauthenticated attackers to forge requests that perform unwanted actions. In this case, the attacker can delete WPForm logs by tricking a logged-in site administrator into clicking on a malicious link.
Let's take a look at the compromised code snippet
function process_admin_ui() {
if (!isset($_REQUEST['action'])) {
return;
}
// Incorrect nonce validation or missing nonce
if (!isset($_REQUEST['_wpnonce']) || !wp_verify_nonce($_REQUEST['_wpnonce'], 'process-admin-ui')) {
return;
}
if ('delete_log' === $_REQUEST['action']) {
// Perform action to delete log
}
}
As we can see, the function checks if the _wpnonce parameter exists but does not validate it properly, allowing attackers to bypass this security measure.
A possible forged request that an attacker could use to exploit this vulnerability would look like this:
http://example.com/wp-admin/admin-post.php?action=delete_log&log_id=110&_wpnonce=forged_nonce
A site administrator could be lured into clicking on this link, unwittingly deleting a WPForm log.
Solution
To mitigate this vulnerability, it's important to properly validate the nonce in the process_admin_ui function. The updated code snippet should include a correct nonce validation, like this:
function process_admin_ui() {
if (!isset($_REQUEST['action'])) {
return;
}
// Correct nonce validation
if (!isset($_REQUEST['_wpnonce']) || !wp_verify_nonce($_REQUEST['_wpnonce'], 'process-admin-ui')) {
wp_nonce_ays('process-admin-ui'); // Display "Are you sure you want to do this?" message
exit;
}
if ('delete_log' === $_REQUEST['action']) {
// Perform action to delete log
}
}
WPForms has addressed the issue and released a patch in version 1.9.2.. Users who are using earlier versions are advised to update their plugin to the latest version available to protect against this exploit.
Conclusion
WordPress plugins like WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More play a crucial role in the modern web. However, vulnerabilities such as this one underscore the importance of secure coding practices, thorough testing, and timely updates and patching. Stay informed about potential security issues affecting WordPress plugins and content management systems, and update your plugins regularly to reduce the risk of compromising your site.
Timeline
Published on: 11/13/2024 03:15:04 UTC
Last modified on: 11/13/2024 17:01:16 UTC