Source: contact@wpscan.com
The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack.
Unauthenticated attackers can remotely delete customer data in the WPBookit WordPress plugin due to a Cross-Site Request Forgery (CSRF) vulnerability. This flaw allows an attacker to trick a logged-in administrator into unknowingly deleting customer records, leading to data loss and potential service disruption. Successful exploitation requires no authentication, posing a significant risk to websites using the vulnerable plugin.
Step 1: Victim Login: The targeted administrator is logged into the WordPress admin panel and has the WPBookit plugin installed and activated.
Step 2: Attacker Crafting: The attacker crafts a malicious HTML page or email containing a hidden form or JavaScript code that automatically submits a DELETE request to the vulnerable WPBookit endpoint (likely a URL related to customer deletion).
Step 3: Payload Delivery: The attacker lures the administrator to visit the malicious page or open the malicious email. This could be through phishing, social engineering, or other means.
Step 4: Request Execution: When the administrator's browser loads the malicious page or executes the JavaScript, the hidden form or script automatically sends a DELETE request to the WPBookit plugin's customer deletion endpoint. This request is sent with the administrator's existing session cookies.
Step 5: Vulnerability Trigger: Because the plugin lacks CSRF protection, it processes the DELETE request without verifying the origin or the presence of a valid CSRF token.
Step 6: Customer Deletion: The plugin executes the customer deletion operation, removing the specified customer record from the database.
Step 7: Data Loss: The targeted customer's data is permanently deleted, causing data loss and potentially disrupting the website's functionality.
The vulnerability stems from a missing CSRF protection mechanism within the WPBookit plugin's customer deletion functionality. Specifically, the plugin's code does not validate a CSRF token when processing requests to delete customer records. This allows an attacker to craft a malicious request that, when executed by a logged-in administrator, will trigger the deletion of a specified customer. The root cause is a lack of proper input validation and authorization checks, specifically the absence of a CSRF token verification before executing the customer deletion operation. This allows an attacker to forge a request that appears legitimate to the server, leading to unauthorized data modification.
Due to the ease of exploitation and the potential impact (data loss), this vulnerability could be attractive to various threat actors. While no specific APT groups are directly linked at this time, the vulnerability's characteristics align with the tactics, techniques, and procedures (TTPs) of financially motivated cybercriminals and potentially nation-state actors seeking to disrupt services. CISA KEV status: Not Applicable (as of the provided date).
Monitor web server logs for suspicious DELETE requests to the WPBookit plugin's customer deletion endpoint, especially those lacking a CSRF token or originating from unexpected IP addresses.
Implement a Web Application Firewall (WAF) with rules to detect and block CSRF attacks. Look for requests that are missing CSRF tokens or have suspicious referer headers.
Analyze network traffic for unusual patterns, such as a high volume of DELETE requests targeting the customer deletion endpoint.
Monitor WordPress admin activity logs for unauthorized customer deletion events.
Update the WPBookit plugin to version 1.0.8 or later, which includes a fix for the CSRF vulnerability.
Implement a CSRF protection mechanism in the plugin's customer deletion functionality. This should involve generating a unique CSRF token for each request and validating it on the server-side before processing the deletion.
Review and audit all other plugin functions that handle sensitive data or perform critical operations to ensure they are protected against CSRF attacks.
Implement a Web Application Firewall (WAF) to filter malicious requests.
Regularly back up the WordPress database to mitigate data loss in case of a successful attack.