CVE-2023-5385: Funnelforms Free WordPress Plugin Vulnerability - Unauthorized Data Modification

Hello everyone, today I'd like to discuss an important and critical security issue: CVE-2023-5385. This is a vulnerability found in the Funnelforms Free plugin for WordPress that allows unauthorized modification of data in versions up to, and including, 3.4. This makes it possible for attackers with just subscriber-level permissions to create copies of arbitrary posts without authorization.

Vulnerability Details

The Funnelforms Free plugin is widely used for content duplication and page copying in WordPress websites. However, it has been found that there is a missing capability check on the fnsf_copy_posts function in version 3.4, which leads to unauthorized access and data manipulation. This means that attackers with just subscriber-level access can exploit this vulnerability to create copies of existing posts.

Here's a code snippet from the plugin that demonstrates the security issue

// Inside fnsf.php
function fnsf_copy_posts(){
	// ... (some code)
	$nonce = sanitize_text_field($_GET['nonce']);
	if ( ! wp_verify_nonce( $nonce, 'fnsf-duplicate-post_' . $post_id ) ) {
		// ... (error handling)
	}
	
	// Note: Missing capability check!
	$new_post_id = fnsf_duplicate_post($post_id);
	// ...
}

Notice that the code snippet above does not check the capability/permission of the logged-in user before allowing them to continue creating a copy of the post. This should not be the case, as it allows any authenticated user to create unauthorized copies of posts.

Log in to the vulnerable WordPress website with a subscriber-level account.

2. Obtain the target post_id they want to create a copy of, either by examining URLs or making intelligent guesses.

Solution and Mitigation

To address this vulnerability, the plugin author should add a capability check to ensure that only authorized users can create copies of posts. This can be done by using the current_user_can() function like this:

// Inside fnsf.php
function fnsf_copy_posts(){
	// ...
	if ( ! current_user_can( 'edit_posts' ) ) {
		wp_die( __( 'You do not have the necessary permissions.', 'funnelforms' ) );
	}
	// ...
}

This ensures that only users with the proper edit_posts capability are able to create copies, thus preventing unauthorized access.

In the meantime, users of the Funnelforms Free plugin should update to the latest version as soon as it becomes available or use alternative content duplication plugins that have proper access controls in place.

References

For more information on this vulnerability and CVE-2023-5385, you can refer to the following original references:

1. CVE-2023-5385 Official NVD Release
2. WordPress Plugin Funnelforms Free - Security Advisory

In conclusion, this vulnerability highlights the importance of thoroughly checking access controls and permissions in WordPress plugins. While the Funnelforms Free plugin can be a very useful tool, it is crucial to keep it updated and patched to prevent any potential unauthorized data modifications. Stay secure out there!

Timeline

Published on: 11/22/2023 16:15:11 UTC
Last modified on: 11/27/2023 20:13:07 UTC