The US government’s National Vulnerability Database (NVD) released an advisory on the Shortcodes Ultimate WordPress plugin, warning that it was found to contain a cross-site request forgery vulnerability.
Shortcodes Ultimate is a very popular WordPress plugin with over 700,000 active installs.
This vulnerability affects plugin versions older than the current version 5.12.2.
Cross-site request forgery vulnerability
Cross-site request forgery, commonly referred to as CSRF, is a type of vulnerability that, in the worst case scenario, can lead to complete website takeover.
This kind of vulnerability is usually caused by targeting software flaws that can cause changes, which can lead to unintended consequences.
Successful attacks typically depend on whether the user has administrative privileges or clicks a link to unintentionally reveal information such as a session cookie that can be used to impersonate that person.
This type of vulnerability relies on social engineering to manipulate the end-user to complete an action that exploits the plugin’s vulnerability.
According to the Open Web Application Security Project (OWASP):
“CSRF is an attack that tricks the victim into submitting a malicious request.
Inherit the victim’s identity and privileges to perform unwanted functions on the victim’s behalf…
For most sites, browser requests automatically include credentials associated with the site, such as the user’s session cookie, IP address, and Windows domain credentials.
Therefore, if the user is currently authenticated to the site, the site has no way of distinguishing between bogus requests submitted by the victim and legitimate requests submitted by the victim. “
National Vulnerability Database (NVD)
The National Vulnerability Database has released just a few details about the vulnerability. There is currently no full breakdown of the vulnerabilities themselves.
The following information has been published in the NVD advisory:
“Cross-site request forgery (CSRF) vulnerability in WordPress Shortcodes Ultimate plugin <= 5.12.0 modifies plugin preset settings."
The official Shortcodes Ultimate GitHub changelog is similarly vague, describing updates to fix vulnerabilities.
“### 5.12.1
**Security Release**
This update fixes a security vulnerability in the shortcode generator. Thanks to Dave John for discovering it. “
On the other hand, the changelog in the WordPress plugin repository explains:
“Fixed issue with shortcode generator presets introduced in last update”
The changelog above appears to misspell the name of the security researcher, but the person who discovered and reported the vulnerability, Dave Jong, CTO of Patchstack, has it spelled correctly.
Recommended course of action
WordPress publishers currently using the shortcode plugin should consider updating to the latest version. This is currently version 5.12.2 at the time of writing.
Quote
Read the National Vulnerability Database Advisory
CVE-2022-38086 Details
Read the patch stack announcement
WordPress Shortcodes Ultimate Plugin <= 5.12.0 – Cross-Site Request Forgery (CSRF) Vulnerability
Featured image from Shutterstock/Cookie Studio
