CVE-2022-40223 - Nonce Token Leakage and Missing Authorization in SearchWP Premium Plugin <= 4.2.5 on WordPress Leading to Plugin Settings Change

The popular SearchWP premium plugin for WordPress, used by thousands of websites for advanced search functionality, has been found vulnerable to a security flaw, identified as CVE-2022-40223. The vulnerability is caused by nonce token leakage and missing authorization checks, leading to unauthorized users being capable of altering plugin settings. Websites with SearchWP premium plugin version 4.2.5 or older are at risk, and administrators are encouraged to update as soon as possible.

Details

A nonce token, short for "number used once," is a standard security measure that is utilized to protect URLs and forms from certain types of rogue attacks, notably cross-site request forgery (CSRF). In the case of CVE-2022-40223, the nonce token of SearchWP premium plugin is inadvertently leaked, and the plugin fails to properly check if a user viewing the configuration page has the appropriate permissions.

In order to exploit this vulnerability, an attacker with access to the leaked nonce token can send a crafted request, ultimately changing plugin settings without proper authorization. This can lead to the unauthorized user gaining access to sensitive information, among other potential impacts.

Code Snippet

The following JavaScript code snippet demonstrates the exploitation of CVE-2022-40223, sending a malicious HTTP POST request to apply the settings change:

var xhr = new XMLHttpRequest();
xhr.open("POST", "https://target-site.com/wp-admin/options.php";, true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("option_page=searchwp&nonce_value={nonce}&action=update&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dsearchwp&searchwp={MALICIOUS_SETTINGS}");

In the snippet above, an attacker needs to replace {nonce} with the leaked nonce token and {MALICIOUS_SETTINGS} with the desired malicious settings. The targeted site's URL should also be changed accordingly.

Original References

- WordPress Vulnerability Database
- CVE-2022-40223 - National Vulnerability Database

Mitigation

The SearchWP premium plugin for WordPress developers have addressed this vulnerability in version 4.2.6. It is strongly recommended to update to the latest version of the plugin to close the security gap caused by CVE-2022-40223. Additionally, website administrators should ensure that all users have strong passwords and follow proper security practices.

In conclusion, CVE-2022-40223 is a serious vulnerability in the SearchWP premium plugin for WordPress that allows attackers with access to a leaked nonce token to change plugin settings without the proper authorization. Immediate action must be taken to update to the latest version (≥ 4.2.6) and ensure that all websites employing the plugin adhere to proper security practices.

Timeline

Published on: 11/08/2022 19:15:00 UTC
Last modified on: 11/09/2022 13:56:00 UTC