The U.S. National Vulnerability Database (NVD) and Wordfence published a security advisory of a high severity Cross Site Request Forgery (CSRF) vulnerability affecting the Nested Pages WordPress plugin affecting up to +100,000 installations. The vulnerability received a Common Vulnerability Scoring System (CVSS) rating of 8.8 on a scale of 1 – 10, with ten representing the highest level severity.
Cross Site Request Forgery (CSRF)
The Cross Site Request Forgery (CSRF) is a type of attack that takes advantage of a security flaw in the Nested Pages plugin that allows unauthenticated attackers to call (execute) PHP files, which are the code level files of WordPress.
There is a missing or incorrect nonce validation, which is a common security feature used in WordPress plugins to secure forms and URLs. A second flaw in the plugin is a missing security feature called sanitization. Sanitization is a method of securing data that’s input or output which is also common to WordPress plugins but in this case is missing.
According to Wordfence:
“This is due to missing or incorrect nonce validation on the ‘settingsPage’ function and missing santization of the ‘tab’ parameter.”
The CSRF attack relies on getting a signed in WordPress user (like an Administrator) to click a link which in turn allows the attacker to complete the attack. This vulnerability is rated 8.8 which makes it a high severity threat. To put that into perspective, a score of 8.9 is a critical level threat which is an even higher level. So at 8.8 it is just short of a critical level threat.
This vulnerability affects all versions of the Nested Pages plugin up to and including version 3.2.7. The developers of the plugin released a security fix in version 3.2.8 and responsibly published the details of the security update in their changelog.
The official changelog documents the security fix:
“Security update addressing CSRF issue in plugin settings”
Read the advisory at Wordfence:
Nested Pages <= 3.2.7 – Cross-Site Request Forgery to Local File Inclusion
Read the advisory at the NVD:
Featured Image by Shutterstock/Dean Drobot