WordPress

WordPress Vulnerability in Shortcodes Ultimate Impacts 700,000 Websites

Photo of SEO SEO Send an email October 1, 2024
0 5 2 minutes read

The United States government National Vulnerability Database (NVD) has published an advisory regarding the Shortcodes Ultimate WordPress plugin, identifying a Cross-Site Request Forgery (CSRF) vulnerability.

Shortcodes Ultimate is a highly popular WordPress plugin with over 700,000 active installations.

The vulnerability affects plugin versions earlier than 5.12.2.

Cross-Site Request Forgery Vulnerability

Cross-Site Request Forgery, commonly known as CSRF, is a type of vulnerability that, in the worst cases, can lead to complete website takeover.

These types of vulnerabilities are often caused by targeting a flaw in software that can trigger changes, potentially leading to unintended consequences.

A successful attack generally depends on a user, for example, one with administrative privileges, clicking on a link and unintentionally revealing information such as a session cookie, which can then be used to impersonate that user.

This vulnerability relies on social engineering, manipulating an end-user to complete an action, thereby exploiting the plugin vulnerability.

According to the Open Web Application Security Project (OWASP):

“CSRF is an attack that tricks the victim into submitting a malicious request.

It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf…

For most sites, browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, Windows domain credentials, and so forth.

Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.”

National Vulnerability Database (NVD)

The National Vulnerability Database has published limited details about the vulnerability. A complete breakdown of the vulnerability is not currently available.

The NVD advisory states the following:

“Cross-Site Request Forgery (CSRF) vulnerability in Shortcodes Ultimate plugin <= 5.12.0 at WordPress leading to plugin preset settings change.”

The official Shortcodes Ultimate GitHub changelog also remains vague, describing the update as follows:

“### 5.12.1

**Security release**

This update fixes a security vulnerability in the shortcode generator. Thanks to Dave John for discovering it.”

Meanwhile, the WordPress plugin repository changelog provides this information:

“Fixed issue with Shortcode Generator Presets, introduced in the previous update”

The changelog appears to have misspelled the security researcher’s name, which is correctly spelled Dave Jong, CTO of Patchstack, who is credited with discovering and reporting the vulnerability.

Recommended Course of Action

WordPress publishers currently using the Shortcodes Ultimate plugin should consider updating to the latest version, which at the time of writing is version 5.12.2.

Citations

Read the National Vulnerability Database Advisory

CVE-2022-38086 Detail

Read the Patchstack Announcement

WordPress Shortcodes Ultimate plugin <= 5.12.0 – Cross-Site Request Forgery (CSRF) vulnerability

Featured Image by Shutterstock/Cookie Studio

Photo of SEO SEO Send an email October 1, 2024
0 5 2 minutes read
Photo of SEO

SEO

Related Articles

Matt Mullenweg Accuses WP Engine of Trying to Curtail His Free Speech Amid Dispute

October 21, 2024

WordPress Announces New Executive Director

October 9, 2024

Executive Director of WordPress Steps Down

October 5, 2024

8% of Automattic’s Employees Choose to Resign

October 5, 2024
Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button