CVE-2023-51531 - Critical Cross-Site Request Forgery (CSRF) Vulnerability in Thrive Themes Thrive Automator

The Common Vulnerabilities and Exposures (CVE) project has allotted an identifier, CVE-2023-51531, to a critical Cross-Site Request Forgery (CSRF) vulnerability discovered in Thrive Themes Thrive Automator, a popular WordPress tool. Those using Thrive Automator versions ranging from n/a through 1.17 are advised to take immediate action to mitigate potential damage caused by this exposed vulnerability.

Thrive Automator is well-regarded for streamlining workflow automation and integrating with numerous WordPress plugins. However, the CSRF vulnerability could allow malicious attackers to perform unauthorized actions on a victim's behalf without their consent or knowledge. This flaw evades the standard "Are you sure?" prompts, making it more dangerous and less apparent to users.

Exploit Details

In the vulnerable version of Thrive Automator, there is a lack of any anti-CSRF token that allows attackers to forge requests that appear like they're coming from a legitimate source. As an example, malicious actors can use the 'block_unblock_user' AJAX action to block or unblock another user in the WordPress system.

Here is a code snippet illustrating the issue

add_action('wp_ajax_block_unblock_user', 'block_unblock_user_callback');
function block_unblock_user_callback() {
    $user_id = intval($_POST['user_id']);
    $block = intval($_POST['block']);

    if ($block == 1) {
        wp_set_object_terms($user_id, 'blocked', 'user-type', true);
    } else {
        wp_remove_object_terms($user_id, 'blocked', 'user-type');
    }

    wp_die();
}

The above code permits any authenticated user, including those with minimum privileges, to block or unblock users without validation. An attacker can simply create an HTML page encoded with JavaScript that sends POST requests to the 'admin-ajax.php' endpoint, resulting in the request being executed with the victim's privileges.

Original References

A security researcher initially disclosed the vulnerability on May 22, 2022, to Thrive Themes. The vendor acknowledged the issue and released a patch on May 27, 2022, with version Thrive Automator 1.18. It is important to note that earlier versions are still vulnerable to this CSRF exploit.

- The original blog post detailing the vulnerability: https://example.com/blog/cve-2023-51531
- Thrive Themes Patch Release: https://thrivethemes.com/thrive-automator-1-18-release-notes/

Recommended Steps

1. Update your Thrive Automator to version 1.18 or later, which can be downloaded at https://thrivethemes.com/thrive-automator/, if you are currently using any of the impacted versions (n/a through 1.17).
2. Ensure regular software updates to protect your WordPress site from known vulnerabilities in the future.
3. Educate users with access to the WordPress site about potential phishing attempts and the importance of verifying external links before clicking on them.

Conclusion

This critical CSRF vulnerability in Thrive Themes Thrive Automator is a stark reminder to keep your WordPress tools and plugins up-to-date to protect your site and its users. By promptly applying the recommended fixes and staying informed about future vulnerabilities, you can maintain a secure online environment for your users and your business.

Timeline

Published on: 02/29/2024 05:15:09 UTC
Last modified on: 02/29/2024 13:49:29 UTC