CSRF Vulnerability Found in Software License Manager Plugin

Versions before 4.5.1 of the Software License Manager plugin for WordPress have an exploitable Cross-Site Request Forgery (CSRF) vulnerability. Any user logged in to a site with the vulnerable extension can, by clicking a link, be tricked to delete an entry in the plugin’s registered domain database table. The link can be distributed in an email, or on a website the victim user is likely to visit.

The good news is, there’s not much else that can be done by exploiting this weakness. And the attacker needs to know the id of the domain they wish to delete from the database beforehand. 

Still, we recommend anybody running version 4.5.0 or earlier of the plugin to upgrade as soon as possible.

Details

The vulnerability is caused by the handler for the ajax action del_reistered_domain (sic) neither performing nonce checks nor authorization of the user performing the action. 

add_action( 'wp_ajax_del_reistered_domain', 'slm_del_reg_dom' );
function slm_del_reg_dom() {
	global $wpdb;
	$reg_table = SLM_TBL_LIC_DOMAIN;
	$id        = sanitize_text_field( $_GET['id'] );
	$ret       = $wpdb->query( "DELETE FROM $reg_table WHERE id='$id'" );
	echo ( $ret ) ? 'success' : 'failed';
	exit( 0 );
}

We always recommend performing nonce checks on any action, and to authorize the user by checking it’s capabilities for all non-public action handlers.

The observant reader may also wonder if there is not a SQL Injection vulnerability here. The $_GET['id'] parameter is expected to be numeric, but this is never validated. However, as WordPress will escape any quotation marks in the request parameters, and the sanitize_text_field function will remove any URL encoded octets, the usage here should be safe from exploitation if not necessarily bug free.

Version 4.5.1 addresses both of these issues.

Recommendations

We encourage any site with versions earlier than 4.5.1 of the Software License Manager plugin for WordPress to update as soon as possible.

We strongly recommend that you have a security plan for your site that includes malicious file scanning and backups. Jetpack Security is one great WordPress security option to ensure your site and visitors are safe.

Timeline

2021-09-01: Vulnerability discovered by the Jetpack Scan Team
2021-09-07: Reported to WPScan, contacted vendor. 
2021-09-10: Received and verified fixed version from vendor.

Go to source

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.