CVE-2020-8417: From CSRF to RCE and WordPress-site takeover

From CSRF to RCE and WordPress-site takeover: CVE-2020-8417

A high-severity Cross-Site Request Forgery (CSRF) vulnerability, tracked as CVE-2020–8417, exists in a popular WordPress plugin called Code Snippets, rendering over 200,000 websites vulnerable to site takeover.

In this Blog-post, we will cover what caused the flaw, an example Proof-Of-Concept showing exploitation in a sandbox environment, and mitigation steps.

What is the Code Snippets Vulnerability?

The National Vulnerability Database(NVD) describes CVE-2020–8417 as,

The Code Snippets plugin before 2.14.0 for WordPress allows CSRF because of the lack of a Referer check on the import menu.

I will explain this in 3 simple steps:

  1. The plugin allowed users to add snippets of PHP code to extend the functionality of a WordPress-powered website, without adding custom snippets to their theme’s functions.php file.
  2. Code Snippets offers an import menu for importing code onto the website. However, due to insufficient validation of the HTTP Referer header on the import menu, the plugin’s import function lacked CSRF protection.
  3. Without this protection, an attacker could craft a malicious request to trick an administrator into infecting their own site.

Therefore, CVE-2020-8417 allows anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site. This is a Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE) vulnerability.

Proof Of Concept

Note: I cannot publicly disclose the technical details/exploit because the official PoC is yet to be released; specifically on 12th Feb 2020 – to provider users the ample time to update.

Setup

Here, I am going to do a local setup of WordPress to show a Proof-Of-Concept exploitation. I will use Code Snippets v2.13.3 to show the vulnerability since the bug has been patched in v2.14.0.
We download, import, install, and then activate the plugin.

code snippets plugin is activated
code snippets plugin is activated

To better understand the risk factor associated with the bug, I have removed all default code snippets and there is only a single administrator user — “admin” present currently.

No code snippets
No code snippets
single admin user
single admin user

Upon successful exploitation of this vulnerability, we will have one new code snippet titled “Attacker PoC” and we will have one new user added named “attacker” with administrative privileges.

Attack Scenario

Say, you are admin, reviewing comments and a user has made a comment on your site saying they loved your content and would like you to check out theirs. Pretty innocent, right?

Innocent looking comment containing link to malicious web page
Innocent looking comment containing link to malicious web page

This way, a remote attacker(testuser) can trick the victim(admin) to visit a specially crafted web page and perform arbitrary actions on behalf of the victim(admin) on the vulnerable website, leading to remote code execution.

Exploitation PoC
Exploitation PoC

Here, as soon as victim (admin) clicks on “Submit Request”, a request (holding admin privileges) is forged that executes an action, sends a request to the site, and the attacker’s malicious code is injected and executed on the site; in this case a Cross Site Scripting Attack by injecting JavaScript code. A malicious new code snippet and an “attacker” user with administrative privileges have also been added.

I would like to clarify that,

Exploiting this vulnerability does not require that the target website has comments enabled — we just used this as our method of demonstration to show one of many ways an attacker could exploit this vulnerability (and how easily disguised it could be). There are numerous ways this could be exploited, but in the context of WordPress, it usually stems from a target administrator clicking on something like a link in a comment or from an email and being concurrently logged into the target WordPress site. The target administrator does not have to click on something like “Submit Request” from the malicious site in order for there to be a successful exploit, usually just clicking on a link that takes you to a malicious site is enough for compromise as a forged request can be sent in the background.

With remote code execution vulnerabilities, exploit possibilities are endless. An attacker could create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more.

How to resolve the Code Snippets Vulnerability?

This is very simple. Navigate to your WordPress plugin section and update the plugin to the newest version — v2.14.0. We would also recommend scanning and monitoring your WordPress website with WPSec.

Vulnerabilities similar to this are found often. As such we recommend all users to keep on top of updates either by updating manually, or by activating automatic updates.

Write up by Eshaan Bansal

When it comes to DNS anycast hosting we are recommending HostDNS.

1 thought on “From CSRF to RCE and WordPress-site takeover: CVE-2020-8417”

  1. Pingback: WordPress Vulnerabilities: Top 4 Security Threats in 2021- WPSec

Leave a Comment

Your email address will not be published. Required fields are marked *