Popular WordPress plugin Ultimate Shortcodes used in over 700,000 WordPress websites contains a CSRF vulnerability
The United States government National Vulnerability Database (NVD) published an advisory about Shortcodes Ultimate WordPress plugin, warning that it was discovered to contain a Cross Site Request Forgery vulnerability.
Shortcodes Ultimate is a highly popular WordPress plugin that has over 700,000 active installations.
The vulnerability affects plugin versions that are older than the current version 5.12.2.
Cross-Site Request Forgery Vulnerability
Cross-Site Request Forgery, commonly referred to as CSRF, is a type of vulnerability that can in the worst cases can lead to complete website takeover.
These kinds of vulnerabilities are generally caused by targeting a flaw in software that can trigger a change, which can then lead to unintended consequences.
A successful attack generally depends on a user, for example with administrative privileges, clicking on a link and unintentionally revealing information like a session cookie which can then be used to impersonate that person.
This kind of vulnerability depends on social engineering, which is manipulating an end user to complete an action which then takes advantage of the plugin vulnerability.
According to the Open Web Application Security Project (OWASP):
“CSRF is an attack that tricks the victim into submitting a malicious request.
It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf…
For most sites, browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, Windows domain credentials, and so forth.
Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.”
National Vulnerability Database (NVD)
The National Vulnerability Database published just a few details about the vulnerability. There is currently no complete breakdown of the vulnerability itself.
The NVD advisory published the following:
“Cross-Site Request Forgery (CSRF) vulnerability in Shortcodes Ultimate plugin <= 5.12.0 at WordPress leading to plugin preset settings change.”
The official Shortcodes Ultimate GitHub changelog was similarly vague, describing the update to fix the vulnerability:
This update fixes a security vulnerability in the shortcode generator. Thanks to Dave John for discovering it.”
Meanwhile the WordPress plugin repository changelog explains:
“Fixed issue with Shortcode Generator Presets, introduced in the previous update”
The above changelog appears to misspell the security researcher’s name, which is correctly spelled Dave Jong, CTO of Patchstack, the person who is credited with discovering and reporting the vulnerability.
Recommended Course of Action
WordPress publishers who currently use Shortcodes Plugin should consider updating to the very latest version, which at the time of writing is currently version 5.12.2.
Read the National Vulnerability Database Advisory
Read the Patchstack Announcement
WordPress Shortcodes Ultimate plugin <= 5.12.0 – Cross-Site Request Forgery (CSRF) vulnerability
If you are interested in original article by Roger Montti you can find it here