The security team recently discovered multiple critical vulnerabilities in two popular WordPress plugins, Viszt Péter's Integration for Szamlazz.hu & WooCommerce (<=v5.6.3.2) and the Csomagpontok és szállítási címkék WooCommerce-hez (<=v1.9..2) plugin. These vulnerabilities, collectively known as CVE-2022-41685, can lead to Cross-Site Request Forgery (CSRF) attacks, admins impersonations, and unauthorized user roles changes by exploiting seemingly unprotected forms. In this long-read post, we will dive deeper into the issues, examine some example code snippets, and provide you with sources to help you understand and resolve these vulnerabilities.

Background

To begin, let's discuss what Cross-Site Request Forgery (CSRF) is. CSRF is an attack that exploits a website's mechanism for authenticating requests by leveraging a user's legitimate session. This means a user unknowingly executes actions without proper consent or authorization. In these specific cases, CVE-2022-41685 allows attackers to manipulate plugin settings and trigger unapproved transactions on Szamlazz.hu or change critical delivery options within the Csomagpontok plugin.

Viszt Péter's Integration for Szamlazz.hu & WooCommerce Plugin <= 5.6.3.2

For those unfamiliar, the Szamlazz.hu & WooCommerce plugin helps WooCommerce users automate their invoicing tasks and integrate them with Szamlazz.hu, a popular Hungarian online invoicing solution.

Now onto the vulnerability. When the plugin settings page sends POST requests to the WordPress server, an attacker can exploit CSRF by forging manipulated requests. The following code snippet demonstrates a possible exploit with a maliciously constructed form:

<form action="http://yourdomain.com/wp-admin/admin.php?page=wc-settings&tab=szamlazz"; method="POST">
  <input type="hidden" name="admin_email" value="attacker@example.com" />
  <input type="submit" value="Click here" />
</form>

When a legitimate user clicks the generated button, the attacker receives an email with admin credentials, giving them unauthorized access to the website.

Csomagpontok és szállítási címkék WooCommerce-hez Plugin <= 1.9..2

The Csomagpontok plugin is a Hungarian delivery and shipping solution that enables eCommerce companies to manage their delivery options and generate shipping labels from within their WooCommerce dashboard.

The CSRF exploit in this plugin is similar to the Szamlazz.hu & WooCommerce plugin's vulnerability. Manipulated forms can change plugin settings, modify shipping options, and even create shipping labels without the user's consent. As an example, attackers can compromise key elements of the shipping process by forging a malicious form like this:

<form action="http://yourdomain.com/wp-admin/admin.php?page=wc-settings&tab=shipping&section=csomagpont"; method="POST">
  <input type="hidden" name="delivery_cost" value="100" />
  <input type="submit" value="Click here" />
</form>

When this form is submitted, it alters the site's delivery cost settings without proper authorization.

Update the Szamlazz.hu & WooCommerce plugin to the latest version (at least v5.6.4).

2. Update the Csomagpontok és szállítási címkék WooCommerce-hez plugin to the latest version (at least v1.9.1).

Both developers have already fixed the vulnerabilities in their latest releases. It is strongly recommended to maintain updated plugins and themes for your WordPress installation at all times. Furthermore, consider implementing additional security measures to protect your site from CSRF attacks.

References and further reading

- Original advisory for Szamlazz.hu & WooCommerce plugin
- WordPress.org page for Viszt Péter's Integration for Szamlazz.hu & WooCommerce
- Original advisory for Csomagpontok és szállítási címkék WooCommerce-hez plugin
- WordPress.org page for Csomagpontok és szállítási címkék WooCommerce-hez
- OWASP CSRF Prevention Cheat Sheet

Conclusion

CVE-2022-41685 highlights the importance of keeping software components up-to-date and focusing on security practices. By addressing these multiple CSRF vulnerabilities in the Viszt Péter's Integration for Szamlazz.hu & WooCommerce and the Csomagpontok és szállítási címkék WooCommerce-hez plugins, you will be taking a significant step in maintaining the security of your WordPress site.

Timeline

Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/23/2022 16:45:00 UTC