Source: cve@mitre.org
Cross-site request forgery (CSRF) vulnerability in the WP Limit Posts Automatically plugin 0.7 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the lpa_post_letters parameter in the wp-limit-posts-automatically.php page to wp-admin/options-general.php.
Attackers can exploit a cross-site request forgery (CSRF) vulnerability in the WP Limit Posts Automatically plugin to hijack administrator accounts and inject malicious cross-site scripting (XSS) payloads into WordPress websites. This allows for complete site compromise, including data theft, defacement, and potential server takeover. The vulnerability is easily exploitable, making it a high-priority security risk.
Step 1: Victim Authentication: The administrator is logged into the WordPress admin panel.
Step 2: Malicious Link/Payload Delivery: The attacker crafts a malicious link or embeds a malicious HTML snippet (e.g., within an email, forum post, or compromised website) that, when clicked or rendered, automatically submits a POST request to wp-admin/options-general.php.
Step 3: CSRF Exploitation: The malicious request includes the lpa_post_letters parameter with a value containing a JavaScript payload (XSS). Because the plugin lacks CSRF protection, the browser submits the request with the administrator's cookies.
Step 4: Plugin Configuration Update: The server processes the request, updating the plugin's configuration with the attacker-supplied lpa_post_letters value.
Step 5: XSS Execution: When the plugin's settings, including the malicious lpa_post_letters value, are displayed on the website (e.g., in a post or page), the injected JavaScript payload executes in the administrator's browser, leading to XSS and potential account compromise.
The vulnerability stems from a lack of CSRF protection in the WP Limit Posts Automatically plugin. Specifically, the plugin fails to validate the origin of requests when updating its settings via the wp-admin/options-general.php page. The lpa_post_letters parameter, used to configure the plugin, is vulnerable. An attacker can craft a malicious request containing a crafted lpa_post_letters value, which, when submitted by an authenticated administrator, leads to the execution of arbitrary JavaScript. The root cause is the absence of a nonce or other CSRF protection mechanism, allowing attackers to trick administrators into unknowingly submitting malicious requests. The XSS payload is injected through the plugin's configuration settings, which are then displayed on the site, leading to the execution of the attacker's JavaScript.
While no specific APTs are directly linked to this CVE, the ease of exploitation makes it attractive to a wide range of attackers, including those seeking to establish a foothold for further attacks. This type of vulnerability is often used by attackers to gain initial access. CISA KEV status: Not listed.
Monitor web server logs for suspicious POST requests to wp-admin/options-general.php with the lpa_post_letters parameter.
Analyze HTTP request headers for missing or incorrect CSRF tokens.
Implement a Web Application Firewall (WAF) with rules to detect and block XSS payloads in the lpa_post_letters parameter.
Monitor WordPress database for unexpected changes to plugin settings.
Network traffic analysis for unusual JavaScript execution or redirection patterns originating from the affected website.
Update the WP Limit Posts Automatically plugin to version 0.8 or later. If upgrading is not possible, remove the plugin entirely.
Implement a Web Application Firewall (WAF) to filter malicious requests.
Enforce strong password policies for all administrator accounts.
Regularly scan the website for malware and vulnerabilities.
Implement CSRF protection (e.g., using nonces) in all WordPress plugins and themes, especially those handling sensitive data or settings.
Educate administrators about phishing and social engineering attacks.