CVE-2022-1672: Uncovering a CSRF Vulnerability in Google PageSpeed WordPress Plugin before 4..7

In this in-depth analysis, we will explore a security vulnerability dubbed CVE-2022-1672. This vulnerability lies within Google PageSpeed WordPress plugin before version 4..7 and can expose your website to a serious security breach involving Cross-Site Request Forgery (CSRF) attacks. If exploited, attackers can make a logged-in admin perform unauthorized actions like deleting Custom URLs.

Background

The Google PageSpeed WordPress plugin is a popular tool designed to help website administrators optimize their websites for better performance and faster loading times. However, it was recently discovered that the plugin versions before 4..7 contain a dangerous vulnerability that allows attackers to execute CSRF attacks.

The Vulnerability

Specifically, the vulnerability exists because of the failure to verify CSRF tokens before performing actions like deleting Custom URLs. This lack of verification allows attackers who have gained access to a logged-in administrator's session to perform undesired actions on behalf of the administrator without their knowledge or consent.

Attack Scenario

An attacker could potentially craft a malicious web page or link and covertly manipulate an administrator into clicking on it while they're logged into their WordPress site. Upon clicking the malicious link or visiting the page, unauthorized actions could be performed on the website, deleting essential Custom URLs or modifying other configurations directly.

The vulnerability is documented in the following official sources

1. National Vulnerability Database Entry
2. WordPress Plugin Vulnerability Database Entry

Code Snippet

The problematic code in question is in the admin/class-pagespeedninja-admin.php file of the plugin. The absence of a proper CSRF token check before performing actions is evident. Below is a snippet showing the lack of token verification:

public function ajax_pagespeedninja() {
    switch ($_POST['action2']) {
        case 'remove_custom':
            $custom_urls = new \CustomURlsOptimization();
            $custom_urls->remove($_POST['page']);
            break;
        //...Other cases
    }

    //Additional code
}

The Fix

To mitigate this vulnerability, the developer team behind the Google PageSpeed WordPress plugin has released version 4..7. This version introduces proper CSRF token checks to ensure secure plugin operation. You can view the full changelog, including the patch notes, here.

Additionally, it is highly recommended to update to the latest version of the plugin as soon as possible to ensure protection against possible CSRF attacks.

Conclusion

CVE-2022-1672 presents a CSRF risk for administrators using Google PageSpeed WordPress plugin before version 4..7. By failing to verify CSRF tokens before performing critical actions like deleting Custom URLs, this plugin leaves websites susceptible to attackers who can exploit the vulnerability. Administrators are urged to update their plugins immediately to protect their websites and user data.

Timeline

Published on: 07/17/2022 11:15:00 UTC
Last modified on: 07/18/2022 12:10:00 UTC