WordPress is one of the most popular content management systems in the world, and plugins extend its features to power millions of websites. However, security issues in plugins can leave even the best WordPress sites at risk. This long read is all about CVE-2022-40131, a Cross-Site Request Forgery (CSRF) vulnerability found in the Page View Count plugin (by a3rev Software) up to version 2.5.5.

This post will explain what CSRF is, how the vulnerability works, include code snippets, and guide you through potential exploits—all in simple terms.

What Is CVE-2022-40131?

CVE-2022-40131 identifies a security bug in the Page View Count plugin for WordPress, versions 2.5.5 and below. The bug allows a malicious actor to reset the plugin’s settings just by tricking a logged-in WordPress admin into clicking a specially crafted link.

What is CSRF and Why Does it Matter?

CSRF is a web attack that tricks a logged-in user to perform unwanted actions on a web application. If you’re an admin logged into your WordPress site and visit a malicious page, that page can “ask” your WordPress site to run admin actions—like changing settings—without you even noticing.

How Does the Vulnerability Work?

The Page View Count plugin lets admins manage and view statistics about how many people visit each page or post on their site. Like many plugins, it offers a "Reset Settings" feature. But up to version 2.5.5, this feature did not use a CSRF protection token (called a nonce in WordPress).

User: The victim (you), who is already logged in as admin.

The reset settings action for Page View Count was performed by sending a POST request to the plugin’s settings page, including a field like reset_settings=Reset.

Exploit Code Snippet

Below is a simple HTML form that, when hosted on an attacker’s site, automatically submits to the victim's WordPress site. If an admin visits this attacker's page *while logged in* to WordPress, all plugin settings are reset without confirmation!

<html>
  <body>
    <form action="https://victim.com/wp-admin/admin.php?page=page-view-count&tab=settings"; method="POST" id="csrfattack">
      <input type="hidden" name="reset_settings" value="Reset">
    </form>
    <script>
      document.getElementById('csrfattack').submit();
    </script>
  </body>
</html>

Replacehttps://victim.com with the real site URL.

Admin visits attacker's site (via phishing or a malicious ad)

- The browser sends a hidden POST request (with the admin’s cookies!) to the plugin’s settings page

Demonstration

Imagine you're logged into your WordPress dashboard at https://myblog.com/wp-admin. You open a shady email with a link to http://attacker.com/csrf.html. Instantly, your Page View Count settings go back to factory defaults. No warning, no questions. This can break reporting, affect theme displays, or hide/view counts from readers.

Responsible Disclosure and Patch

This bug was responsibly disclosed, and the publisher fixed it in version 2.5.6 by introducing a CSRF nonce check. If you use this plugin, upgrade now!

- Plugin changelog

If you develop plugins, always use WordPress's wp_nonce_field() and check_admin_referer() to protect sensitive admin actions.

References

- CVE-2022-40131 – NVD Entry
- Plugin Vulnerabilities Database
- Original Plugin

Summary

CVE-2022-40131 is a classic example of why CSRF protection is a must for WordPress plugins. A simple, missing nonce check allowed attackers to cause real trouble for site admins. Update to the latest version, always use proper security controls, and stay safe out there!


*Stay tuned for more easy-to-understand rundowns on recent WordPress vulnerabilities!*

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/04/2022 17:22:00 UTC