attacks on other users’ accounts, such as when a vendor suspends another vendor or when vendors call other vendors and alter their orders. These unauthenticated CSRF attacks can be quite severe as they can result in vendor bans or even the loss of a site’s WooCommerce license. Before version 3.8.12, Multivendor Marketplace plugin by default did not have any form of CSRF protection, which means that any user, with the correct password, can perform CSRF attacks when editing an order and suspend or even completely close vendors.
By default, all AJAX actions are enabled in Multivendor Marketplace, which means that any user can perform an unauthenticated CSRF attack to suspend or even close another vendor.
Multivendor Marketplace has no built-in CSRF protection, and no CSRF header on any of its AJAX requests, which means that any user can perform a CSRF attack on any vendor and completely close their orders.
In order to completely close vendor orders, vendor’s user name and password must be known. By default, Multivendor Marketplace has no user-settings so any user can close vendor orders. The vendor is notified of the closure by an email sent by WordPress. These vendor attacks are possible due to the fact that the plugin has no form of CSRF protection in any of its AJAX actions.
CSRF Protection in WordPress Plugins
CSRF stands for Cross-Site Request Forgery and is a type of attack that can be performed by one website on another. This type of attack is when a third-party website makes requests to the user's website, which causes unintended actions to be taken on the user's website.
The most common form of CSRF attack is when a malicious site sends an unauthenticated request to your site, asks you to do something, and then takes any action that you perform because of this request.
If your website has been breached with a CSRF attack then it’s important that you act quickly. By installing a plugin like CSRF Prevent, you can effectively protect your WordPress websites from unauthorized users performing CSRF attacks.
How the CSRF vulnerability was found and exploited?
To create the vulnerability, we created a user account with a zero-length password. This allowed for a CSRF attack to be performed on any vendor in Multivendor Marketplace without authentication. To demonstrate this, we scheduled an order and then proceeded to suspend or close the vendor.
On all actions that are performed by Multivendor Marketplace through AJAX, it would not transmit the CSRF token in its request header, which allows for unauthenticated attacks.
Solution:
CSRF protection
In order to fix this problem, CSRF protection must be implemented.
CSRF is a technique that prevents attackers from submitting requests on behalf of victims without the victims’ knowledge.
The first step in implementing CSRF protection is figuring out what the vulnerable action is. In this case, the vulnerable action is when an administrator or another user edits an order. The plugin will not be vulnerable unless it doesn't have any form of CSRF protection on AJAX requests, and no CSRF header on any request. This can be done by checking if the plugin has a function named "csrf_check". If it does have that function, then the vulnerability has been fixed and there is no need to do anything else because all actions are now protected against CSRF attacks and there would be no need for CSRF protection. If it does not have the function "csrf_check", then the vulnerability has not been fixed yet and we still need to implement those changes.
If you're interested in learning more about how it works, checkout RFC-6677 which defines how HTTP protocol should work by adding a method called "POST" which allows content to be sent without having to use SQL like "GET". This means that content can be passed through queries if they're submitted as GET requests but if they're POSTed using this method then they won't allow for SQL queries to happen through them because POST requests are meant for sending data rather than getting data back
Timeline
Published on: 09/05/2022 13:15:00 UTC
Last modified on: 09/08/2022 20:19:00 UTC