Source: cve@mitre.org
Cross-site request forgery (CSRF) vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allows remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list.
WordPress versions 2.0.11 and earlier are vulnerable to a Cross-Site Request Forgery (CSRF) attack. This allows attackers to manipulate administrative actions, specifically moving comments to the moderation list, potentially leading to denial of service or content manipulation without requiring direct access to administrator credentials.
Step 1: Victim Login: An administrator is logged into the vulnerable WordPress instance.
Step 2: Attacker Crafting: The attacker crafts a malicious HTML page or email containing a hidden form or a JavaScript snippet that automatically submits a request to wp-admin/options-discussion.php with the parameters to move a comment to moderation.
Step 3: Payload Delivery: The attacker lures the administrator to visit the malicious page or open the malicious email.
Step 4: Request Execution: The administrator's browser, while still authenticated to the WordPress site, automatically sends the crafted request to the vulnerable WordPress instance. The request is sent with the administrator's cookies.
Step 5: Action Execution: Because the request lacks CSRF protection, the server processes the request as if it originated from the administrator, moving the targeted comment to the moderation queue. This can be repeated to moderate all comments, effectively causing a denial of service.
The vulnerability stems from a lack of CSRF protection in the wp-admin/options-discussion.php file within WordPress. Specifically, the component responsible for handling comment moderation actions (moving comments to moderation) fails to validate a CSRF token or implement other measures to verify the legitimacy of the request. This allows an attacker to craft a malicious request that, when executed by a logged-in administrator, performs the targeted action. The root cause is a missing or inadequate implementation of anti-CSRF mechanisms, such as synchronizer token pattern or double-submit cookie pattern, to prevent unauthorized actions initiated from a different origin.
While no specific APTs are directly linked to this specific CVE, it's a type of vulnerability that could be exploited by any attacker. It's a low-hanging fruit and could be used in conjunction with other vulnerabilities. This CVE is not listed in the CISA KEV catalog.
Monitor web server logs for suspicious POST requests to wp-admin/options-discussion.php from unexpected sources or with unusual parameters.
Analyze HTTP referer headers to identify requests originating from external domains.
Implement a Web Application Firewall (WAF) with rules to detect and block CSRF attempts.
Monitor for unusual comment moderation activity, such as a sudden increase in comments being moved to moderation.
Upgrade to a patched version of WordPress (version 2.0.12 or later).
Implement a Web Application Firewall (WAF) to filter malicious requests.
Implement CSRF protection in custom themes and plugins.
Regularly scan the WordPress installation for vulnerabilities.
Educate administrators about phishing and social engineering attacks.