CSRF Vulnerability Found in Software License Manager Plugin

Updated on September 14, 2021 - Harald Eilertsen

Versions before 4.5.1 of the Software License Manager plugin for WordPress have an exploitable Cross-Site Request Forgery (CSRF) vulnerability. Any user logged in to a site with the vulnerable extension can, by clicking a link, be tricked to delete an entry in the plugin’s registered domain database table. The link can be distributed in an email, or on a website the victim user is likely to visit.

The good news is, there’s not much else that can be done by exploiting this weakness. And the attacker needs to know the id of the domain they wish to delete from the database beforehand. 

Still, we recommend anybody running version 4.5.0 or earlier of the plugin to upgrade as soon as possible.

Details

The vulnerability is caused by the handler for the ajax action del_reistered_domain (sic) neither performing nonce checks nor authorization of the user performing the action. 

add_action( 'wp_ajax_del_reistered_domain', 'slm_del_reg_dom' );
function slm_del_reg_dom() {
	global $wpdb;
	$reg_table = SLM_TBL_LIC_DOMAIN;
	$id        = sanitize_text_field( $_GET['id'] );
	$ret       = $wpdb->query( "DELETE FROM $reg_table WHERE id='$id'" );
	echo ( $ret ) ? 'success' : 'failed';
	exit( 0 );
}

We always recommend performing nonce checks on any action, and to authorize the user by checking it’s capabilities for all non-public action handlers.

The observant reader may also wonder if there is not a SQL Injection vulnerability here. The $_GET['id'] parameter is expected to be numeric, but this is never validated. However, as WordPress will escape any quotation marks in the request parameters, and the sanitize_text_field function will remove any URL encoded octets, the usage here should be safe from exploitation if not necessarily bug free.

Version 4.5.1 addresses both of these issues.

Recommendations

We encourage any site with versions earlier than 4.5.1 of the Software License Manager plugin for WordPress to update as soon as possible.

We strongly recommend that you have a security plan for your site that includes malicious file scanning and backups. Jetpack Security is one great WordPress security option to ensure your site and visitors are safe.

Timeline

2021-09-01: Vulnerability discovered by the Jetpack Scan Team
2021-09-07: Reported to WPScan, contacted vendor. 
2021-09-10: Received and verified fixed version from vendor.

This entry was posted in Vulnerabilities and tagged , , , . Bookmark the permalink.
Harald Eilertsen profile
Harald Eilertsen

Harald is a Certified Systems Security Professional (CISSP) with a wide background from software development and the security industry. He has a Master of Science in analog microelectronics from the Norwegian University of Science and Technology (NTNU), and has worked for companies such as Norman, Tandberg and Cisco before joining the Jetpack Scan team at Automattic.

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site.

Get up to 50% off your first year.

Compare plans

Have a question?

Comments are closed for this article, but we're still here to help! Visit the support forum and we'll be happy to answer any questions.

View support forum

  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 112,002 other subscribers

  • Browse by Topic

    • %d bloggers like this: