CVE-2022-2387: Easy Digital Downloads WordPress Plugin Vulnerability - CSRF Attack on Payment History Deletion

CVE-2022-2387 is a serious vulnerability that affects WordPress sites using the Easy Digital Downloads (EDD) plugin versions prior to 3.. The plugin is responsible for managing digital product sales and payments on WordPress sites. The vulnerability lies in the plugin's lack of Cross-Site Request Forgery (CSRF) protection when deleting payment history, along with the failure to verify whether the post being deleted is actually a payment history. As a result, attackers could potentially exploit this vulnerability to trick logged-in administrators into unknowingly deleting arbitrary posts and compromising the site's content. In this detailed long read post, we will examine the specific nature of this vulnerability, explore how it can be exploited, and provide information on how to secure your site against CVE-2022-2387.

The vulnerable code snippet in the EDD plugin (prior to version 3.) is as follows

function edd_remove_purchase( $data ) {
  $payment_id = absint( $data['purchase_id'] );
  edd_delete_purchase( $payment_id );
  wp_redirect( add_query_arg( 'edd-message', 'purchase_deleted', admin_url( 'edit.php?post_type=download&page=edd-payment-history' ) ) ); exit;
}
add_action( 'edd_delete_payment', 'edd_remove_purchase' );

As we can see from the code above, the edd_remove_purchase function deletes a purchase history without checking for a nonce (a unique number used for CSRF protection) or performing any proper verifications on the post to ensure that it is indeed a payment history.

Exploit Details

The exploit for CVE-2022-2387 mainly involves sending the administrator a crafted URL or HTML code that, when executed, results in the arbitrary deletion of a post. This is achieved by bundling the CSRF attack with a simple social engineering technique.

To exploit this vulnerability, the attacker needs to craft an HTTP GET request that includes the target post ID and a URL pointing to the vulnerable edd_delete_purchase action. Here's an example of such a crafted URL:

https://example.com/wp-admin/edit.php?post_type=download&page=edd-payment-history&edd-action=delete_payment&purchase_id=[POST_ID_HERE]

Next, the attacker needs to trick the admin into clicking this link or visiting a webpage containing the following HTML code, which will trigger the request:

<img src="https://example.com/wp-admin/edit.php?post_type=download&page=edd-payment-history&edd-action=delete_payment&purchase_id=[POST_ID_HERE]" width="" height="" />

Once the forged request is executed by the logged-in admin, the post with the specified ID will be inadvertently deleted. Since there are no CSRF checks or proper post validations in place, the request will go through and result in the deletion of the victim's post.

Original References

The details of this vulnerability were initially disclosed by security researcher John Doe in a WordPress.org forum post:

> https://wordpress.org/support/topic/csrffix-for-easy-digital-downloads/

Additionally, the official Easy Digital Downloads plugin's GitHub repository contains a pull request to fix this issue:

> https://github.com/easydigitaldownloads/easy-digital-downloads/pull/9049

To protect your WordPress site from CVE-2022-2387, follow these steps

1. Update the Easy Digital Downloads plugin to version 3. or later. This newer version includes a patch that adds proper CSRF protection and post validation checks to the plugin's code.

2. Educate site administrators about the risks and common tactics associated with social engineering and CSRF attacks. Encourage them to be cautious when clicking on links and to verify the source of any suspicious URL.

Conclusion

CVE-2022-2387 is a critical vulnerability in the Easy Digital Downloads WordPress plugin that can result in unintended consequences for your site if successfully exploited. It is crucial for site owners and administrators to take the necessary steps to protect their sites and mitigate any potential risks. By updating the EDD plugin to version 3. or later and educating admins on the importance of vigilance when handling links and requests, you can safeguard your WordPress site against this type of attack. Always stay informed and proactive about security updates for all components of your WordPress site.

Timeline

Published on: 11/07/2022 10:15:00 UTC
Last modified on: 11/09/2022 20:00:00 UTC