WordPress Nested Pages Plugin High Severity Vulnerability

High severity CSRF vulnerability in the Nested Pages WordPress Plugin affects up to +100,000 installations The post WordPress Nested Pages Plugin High Severity Vulnerability appeared first on Search Engine Journal.

Originally Posted on Search Engine Journal by Roger Montti

High severity vulnerability affecting up to +100,000 installations allows unauthenticated attackers to execute CSRF exploit

Vulnerability in Nested Pages WordPress plugin

The U.S. National Vulnerability Database (NVD) and Wordfence published a security advisory of a high severity Cross Site Request Forgery (CSRF) vulnerability affecting the Nested Pages WordPress plugin affecting up to +100,000 installations. The vulnerability received a Common Vulnerability Scoring System (CVSS) rating of 8.8 on a scale of 1 – 10, with ten representing the highest level severity.

Cross Site Request Forgery (CSRF)

The Cross Site Request Forgery (CSRF) is a type of attack that takes advantage of a security flaw in the Nested Pages plugin that allows unauthenticated attackers to call (execute) PHP files, which are the code level files of WordPress.

There is a missing or incorrect nonce validation, which is a common security feature used in WordPress plugins to secure forms and URLs. A second flaw in the plugin is a missing security feature called sanitization. Sanitization is a method of securing data that’s input or output which is also common to WordPress plugins but in this case is missing.

According to Wordfence:

“This is due to missing or incorrect nonce validation on the ‘settingsPage’ function and missing santization of the ‘tab’ parameter.”

The CSRF attack relies on getting a signed in WordPress user (like an Administrator) to click a link which in turn allows the attacker to complete the attack. This vulnerability is rated 8.8 which makes it a high severity threat. To put that into perspective, a score of 8.9 is a critical level threat which is an even higher level. So at 8.8 it is just short of a critical level threat.

This vulnerability affects all versions of the Nested Pages plugin up to and including version 3.2.7. The developers of the plugin released a security fix in version 3.2.8 and responsibly published the details of the security update in their changelog.

The official changelog documents the security fix:

“Security update addressing CSRF issue in plugin settings”

Read the advisory at Wordfence:

Nested Pages <= 3.2.7 – Cross-Site Request Forgery to Local File Inclusion

Read the advisory at the NVD:

CVE-2024-5943 Detail

Featured Image by Shutterstock/Dean Drobot