Source: cve@mitre.org
Cross-site request forgery (CSRF) vulnerability in the PictoBrowser (pictobrowser-gallery) plugin 0.3.1 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the pictoBrowserFlickrUser parameter in the options-page.php page to wp-admin/options-general.php.
WordPress websites using the vulnerable PictoBrowser plugin are susceptible to a Cross-Site Request Forgery (CSRF) attack, allowing attackers to hijack administrator sessions. This can lead to cross-site scripting (XSS) attacks, enabling attackers to inject malicious code and potentially gain complete control over the compromised website.
Step 1: Victim Login: An administrator logs into the vulnerable WordPress website, authenticating their session.
Step 2: Attacker Crafting: The attacker crafts a malicious HTML page or email containing a hidden form or JavaScript code. This code targets the wp-admin/options-general.php page with the pictoBrowserFlickrUser parameter.
Step 3: Payload Delivery: The attacker lures the administrator into visiting the malicious page or opening the malicious email. This could be achieved through phishing, social engineering, or other means.
Step 4: CSRF Execution: When the administrator's browser loads the malicious page, the hidden form or JavaScript code automatically submits a request to wp-admin/options-general.php with the attacker-controlled pictoBrowserFlickrUser value. This request is sent in the context of the administrator's authenticated session.
Step 5: Setting Modification: The vulnerable plugin processes the request and updates the pictoBrowserFlickrUser setting with the attacker-provided value. Because of the lack of CSRF protection, the request is processed without any verification of its origin.
Step 6: XSS Trigger: When the plugin later uses the modified pictoBrowserFlickrUser setting (e.g., when displaying the plugin's settings or when the plugin attempts to fetch data from Flickr), the injected JavaScript code is executed within the administrator's browser.
Step 7: Account Takeover: The injected JavaScript code can perform various malicious actions, such as stealing the administrator's session cookies, redirecting the administrator to a phishing site, or creating new administrator accounts, ultimately leading to complete control of the website.
The vulnerability stems from a failure to properly validate the origin of requests in the PictoBrowser plugin's options-page.php. Specifically, the plugin does not implement CSRF protection when updating the pictoBrowserFlickrUser setting. An attacker can craft a malicious request that, when executed by an authenticated administrator, modifies this setting. This modified setting, combined with the lack of proper input sanitization, allows for the injection of malicious JavaScript code through the pictoBrowserFlickrUser parameter. This injected code is then executed within the context of the administrator's session, leading to XSS and potential account takeover. The root cause is the absence of CSRF tokens or other origin verification mechanisms during the update of plugin settings, coupled with insufficient input validation of the pictoBrowserFlickrUser parameter. This allows for the injection of arbitrary JavaScript code.
While no specific APT groups are directly linked to this vulnerability, the ease of exploitation makes it attractive to a wide range of attackers, including those seeking to deface websites, steal data, or establish a foothold for further attacks. This vulnerability is not listed in the CISA KEV catalog, but it's important to note that this does not mean it is not a threat.
Monitor web server logs for suspicious POST requests to wp-admin/options-general.php with the pictoBrowserFlickrUser parameter.
Analyze HTTP request headers for missing or incorrect CSRF tokens.
Implement a Web Application Firewall (WAF) to detect and block malicious requests attempting to inject JavaScript code.
Monitor for unusual activity from administrator accounts, such as unexpected changes to website settings or the creation of new user accounts.
Use a file integrity monitoring (FIM) tool to detect unauthorized modifications to plugin files, especially options-page.php.
Update the PictoBrowser plugin to version 0.3.2 or later, which includes a fix for this vulnerability.
If updating is not immediately possible, disable the PictoBrowser plugin.
Implement CSRF protection in the plugin's code by using CSRF tokens or other origin verification mechanisms when handling requests to modify settings.
Sanitize all user-supplied input, including the pictoBrowserFlickrUser parameter, to prevent XSS attacks.
Regularly update WordPress core, themes, and plugins to the latest versions to address security vulnerabilities.
Implement a Web Application Firewall (WAF) to filter malicious traffic.