Source: cve@mitre.org
Multiple cross-site request forgery (CSRF) vulnerabilities in the PWGRandom plugin 1.11 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) pwgrandom_title or (2) pwgrandom_category parameter in the pwgrandom page to wp-admin/options-general.php.
Administrators of WordPress sites using the PWGRandom plugin versions 1.11 and earlier are vulnerable to cross-site request forgery (CSRF) attacks, allowing attackers to inject malicious JavaScript through the plugin's settings page. This vulnerability enables attackers to hijack administrator sessions and potentially gain complete control of the website, leading to data breaches and website defacement.
Step 1: Craft Malicious Payload: The attacker crafts a malicious HTML form or JavaScript code that, when executed in the administrator's browser, will send a POST request to wp-admin/options-general.php with the pwgrandom_title or pwgrandom_category parameters containing the attacker's malicious JavaScript payload.
Step 2: Social Engineering: The attacker lures an administrator to visit a webpage containing the malicious payload. This can be achieved through phishing emails, malicious advertisements, or compromised websites.
Step 3: Payload Execution: When the administrator's browser loads the malicious payload (HTML form or JavaScript), the POST request is automatically submitted to the vulnerable WordPress site.
Step 4: Settings Modification: The WordPress site, lacking CSRF protection, processes the request and updates the PWGRandom plugin's settings with the attacker's injected JavaScript.
Step 5: XSS Trigger: When the plugin displays the modified settings (e.g., the plugin's title or category) on the website, the attacker's JavaScript payload is executed in the administrator's browser, hijacking their session or performing other malicious actions.
The vulnerability stems from a lack of CSRF protection in the PWGRandom plugin's options page. Specifically, the plugin fails to properly validate the origin of requests when updating settings via wp-admin/options-general.php. This allows an attacker to craft a malicious HTML form or JavaScript that, when loaded by an administrator, automatically submits a request to modify the plugin's settings. The attacker can then inject malicious JavaScript into the pwgrandom_title or pwgrandom_category parameters, which are subsequently displayed on the website, leading to a cross-site scripting (XSS) vulnerability. The root cause is the absence of CSRF tokens or other origin validation mechanisms, allowing unauthorized modification of plugin settings.
While no specific APTs are definitively linked, this vulnerability is likely exploited by a wide range of attackers, including those seeking to deface websites, steal data, or establish a foothold for further attacks. The ease of exploitation makes it attractive to both opportunistic and targeted attacks. This vulnerability is not listed in CISA KEV.
Monitor web server logs for suspicious POST requests to wp-admin/options-general.php with the pwgrandom_title or pwgrandom_category parameters containing potentially malicious JavaScript (e.g., <script>, onerror, onload).
Implement a Web Application Firewall (WAF) to detect and block malicious requests targeting the vulnerable parameters.
Analyze WordPress database for unexpected changes in the PWGRandom plugin's settings, especially the title and category fields.
Monitor network traffic for unusual outbound connections originating from the WordPress server, which could indicate a compromised site attempting to exfiltrate data or download further payloads.
Use a file integrity monitoring (FIM) tool to detect unauthorized changes to WordPress core files and plugin files.
Update the PWGRandom plugin to version 1.12 or later. This is the primary and most effective remediation step, as it addresses the root cause of the vulnerability.
If updating is not immediately possible, implement a Web Application Firewall (WAF) with rules to filter out malicious requests targeting the vulnerable parameters. Configure the WAF to block requests containing <script> tags or other potentially malicious JavaScript code in the pwgrandom_title and pwgrandom_category parameters.
Implement CSRF protection in custom WordPress themes and plugins to prevent similar vulnerabilities in the future.
Regularly scan the WordPress site for vulnerabilities using a security scanner.
Enforce strong password policies for all administrator accounts and enable two-factor authentication (2FA).
Review and restrict administrator access to only necessary users and roles.
Keep WordPress core, themes, and other plugins up-to-date.