CVE-2022-2449 The reSmush.it: the free Image Optimizer and compress plugin doesn't perform CSRF checks, allowing an attacker to trick logged in users to perform actions on their behalf.

CVE-2022-2449 The reSmush.it: the free Image Optimizer and compress plugin doesn't perform CSRF checks, allowing an attacker to trick logged in users to perform actions on their behalf.

This can be something as simple as viewing a malicious email in your inbox or as dangerous as pushing malicious updates to the WordPress installation. Fortunately, due to the nature of how the CSRF flaw is exploited, an attacker would have to have access to your email address. What makes this issue even more concerning is that reSmush.it was released before 0.4.4, the version before the update where the CSRF flaw was fixed. This means that before the update, reSmush.it was found to be actively being exploited. In order to fix this issue quickly, we decided to release an update that patched the CSRF vulnerability. Unfortunately, with the update came a new issue. During the update, some of the plugin's functionality had to be rewritten. Unfortunately, due to the rewrite, the plugin now suffers from a serious CSRF attack that could be exploited by any remote attacker. The severity of this issue cannot be understated.

Exploitation Steps

These exploits are not new, and the steps require a bit of skill to execute. The steps are as follows:
1) Create a payload
2) Compile it
3) Send it to the plugin's URL with the following format: "action=payload-here"
4) Trigger the CSRF exploit via POST request (Action parameter): "action=admin-ajax&do=update_reSmush.it_settings&pwd=

Update Required: Is your WordPress installation vulnerable?

It is recommended that you update your WordPress installation to the latest version and remove reSmush.it if you have not already done so. If you are currently running 0.3.9 or earlier, then it is recommended that you update your installation to the latest version immediately, as any attacker could exploit your site with this vulnerability and an attack could be launched against your site.
Durability:
The Vulnerability:
The severity of this issue cannot be understated, but we understand that some users may need more time to upgrade their WordPress installations in order to maintain the integrity of their websites. If you are one of these users who require more time for upgrade, please email us at support@reSmush.it with the subject "CSRF" and we will help get your site up-to-date before other malicious parties can exploit it.

The issue with reSmush.it

In order to fix this serious CSRF flaw, we decided to release an update. Unfortunately, when the update was released, it came with a completely new issue that could be exploited by any remote attacker. This is because during the update, some of the plugin's functionality had to be rewritten. As a result of the rewrite, reSmush.it now suffers from a severe CSRF attack that could be exploited by any remote attacker. The severity of this issue cannot be understated.

Exploiting the CSRF flaw to perform a remote attack

An attacker exploiting the CSRF flaw can perform a remote attack by tricking the victim into visiting a website that uses forged headers. The attacker could then use the victim's session cookies to gain access to the victim's WordPress installation.
This issue is not just limited to reSmush.it users, as other sites are known to have used this vulnerability in their own products. This is especially concerning as some of these websites have been handling sensitive information from large organizations.

What is CSRF?

Cross-Site Request Forgery is a vulnerability in which an attacker tricks a user into executing unwanted actions on a web site, typically by using embedded scripts or images in the victim's browser.
A CSRF exploit can be used to perform all sorts of malicious activities such as taking over the admin account on your WordPress installation, changing passwords, and more. There are many ways that this exploit could be exploited.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe