CVE-2023-47655 - CSRF Vulnerability in Marco Milesi ANAC XML Bandi di Gara – In-Depth Guide, Exploit, and Remediation

CVE-2023-47655 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in the popular plugin Marco Milesi ANAC XML Bandi di Gara, affecting versions up to 7.5. This plugin is commonly used by Italian public organizations and entities to work with ANAC XML files for “Bandi di Gara” (public tender announcements), integrating them into WordPress websites.

This post gives you a plain-English breakdown of what the vulnerability is, how attackers could exploit it, and how to patch your site if you’re at risk. For developers and site admins, we've also included simple code examples and helpful references.

What is CVE-2023-47655?

In short, this flaw allows attackers to trick a logged-in admin into performing unwanted actions on their WordPress site without their consent. This is possible because certain sensitive actions in the plugin do not properly check for WordPress security tokens (nonces), making them vulnerable to CSRF attacks.

Why Does This Matter?

Imagine you’re logged into your site's dashboard and browse a malicious website in another tab. If that site is set up to exploit CVE-2023-47655, it can perform actions on your behalf within the vulnerable plugin—like changing settings or uploading malicious data. You wouldn't see anything suspicious until it’s too late.

2. How Does the Exploit Work?

The vulnerability is caused by missing CSRF protection in certain plugin actions. For example, a form submission endpoint that changes plugin settings isn't verifying WordPress's nonce, so any external site can submit a forged request if a user is logged in as admin.

This is a simplified look at the problematic code found in older versions

// Vulnerable: No nonce check!
if (isset($_POST['anac_setting'])) {
    update_option('anac_setting', $_POST['anac_setting']);
}

With no check_admin_referer() or similar function call, *any site* can trick the admin into executing this.

A safer version would look like

if (isset($_POST['anac_setting']) && check_admin_referer('anac_update_settings')) {
    update_option('anac_setting', $_POST['anac_setting']);
}

---

Here’s a sample HTML exploit a bad actor might use

<!-- Only works if victim admin is logged in -->
<form action="https://victim-website.com/wp-admin/admin.php?page=anac-plugin-settings"; method="POST" id="csrf">
    <input type="hidden" name="anac_setting" value="malicious_payload">
</form>
<script>
    document.getElementById('csrf').submit();
</script>

If an admin visits a page containing this, their browser will submit the form in the background—modifying the plugin’s settings.

How to Fix

Marco Milesi released an update to fix this bug in version 7.6. Here’s what site admins should do:

1. Update Immediately: Go to Plugins > Installed Plugins, find ANAC XML Bandi di Gara, and update to at least version 7.6.

Check for Unknown Changes: Review plugin settings or any custom data that may have changed.

3. Educate Your Team: Let your site's admins/editors know about safe browsing while logged in.

Review your plugins for any direct processing of $_POST or $_GET without nonce checks.

- Consider using WordPress Nonce documentation for best practices.

References

- Official WordPress Plugin Page
- CVE Security Advisory
- wpvulndb entry for CVE-2023-47655
- What is CSRF? – OWASP

Conclusion

CVE-2023-47655 is a textbook example of why CSRF protection matters, especially for plugins handling important data on thousands of public sites. If you're using Marco Milesi ANAC XML Bandi di Gara, check your plugin version and update now. Always stay up-to-date and put security at the heart of your site management!

*If you liked this breakdown, bookmark and share to help keep the web safer!*

Timeline

Published on: 11/18/2023 22:15:09 UTC
Last modified on: 11/27/2023 20:33:58 UTC