The U.S. National Vulnerability Database (NVD) and Wordfence have issued a high severity security advisory for a Cross Site Request Forgery (CSRF) vulnerability that affects the Nested Pages WordPress plugin, impacting over 100,000 installations. This vulnerability received a Common Vulnerability Scoring System (CVSS) score of 8.8 out of 10, with ten being the most severe.
Cross Site Request Forgery (CSRF)
A Cross Site Request Forgery (CSRF) attack takes advantage of a security flaw in the Nested Pages plugin, enabling unauthenticated attackers to execute PHP files, which are the core code files of WordPress.
The vulnerability is partly due to missing or incorrect nonce validation, a standard security feature in WordPress plugins used to secure forms and URLs. Another issue is the absence of a security feature called sanitization, which ensures data input and output is secured. This is also common in WordPress plugins but is missing in this instance.
According to Wordfence:
"This is due to missing or incorrect nonce validation on the ‘settingsPage’ function and missing sanitization of the ‘tab’ parameter."
The CSRF attack requires a signed-in WordPress user (such as an Administrator) to click a link, which allows the attacker to complete the attack. This vulnerability’s rating of 8.8 makes it a high severity threat. For further context, a score of 8.9 is considered a critical level threat, indicating that at 8.8, this vulnerability is just below that threshold.
This vulnerability affects all versions of the Nested Pages plugin up to and including version 3.2.7. The plugin developers released a security fix in version 3.2.8 and have documented the details in their changelog.
The official changelog notes the security update:
"Security update addressing CSRF issue in plugin settings."
Read the advisory at Wordfence:
Nested Pages <= 3.2.7 – Cross-Site Request Forgery to Local File Inclusion
Read the advisory at the NVD:
CVE-2024-5943 Detail
Featured Image by Shutterstock/Dean Drobot
