WordPress Nested Pages Plugin High Severity Vulnerability

Last updated on

The U.S. National Vulnerability Database (NVD) and Wordfence issued a security advisory regarding a significant Cross-Site Request Forgery (CSRF) vulnerability in the Nested Pages WordPress plugin. This vulnerability impacts over 100,000 installations. It has been assigned a Common Vulnerability Scoring System (CVSS) rating of 8.8 out of 10, indicating a high level of severity.

Cross Site Request Forgery (CSRF)

The Cross-Site Request Forgery (CSRF) exploit targets a security vulnerability in the Nested Pages plugin, enabling unauthorized attackers to execute PHP files within WordPress, which are crucial code-level components.

The plugin suffers from two primary flaws: firstly, inadequate or absent nonce validation, a standard security measure in WordPress plugins that safeguards forms and URLs. Secondly, it lacks sanitization, a critical method for securing input and output data, commonly employed in WordPress plugins.

According to Wordfence:

“The issue arises from missing or incorrect nonce validation in the ‘settingsPage’ function and the absence of sanitization for the ‘tab’ parameter.”

The CSRF attack hinges on persuading a signed-in WordPress user, such as an Administrator, to click a malicious link, thereby enabling the attacker to execute their malicious actions. Rated at 8.8, this vulnerability is considered highly severe. For context, a score of 8.9 would classify it as a critical threat, just one notch higher.

This security flaw impacts all versions of the Nested Pages plugin up to and including version 3.2.7. To address this issue, the plugin developers released a security patch in version 3.2.8 and transparently disclosed the details of the fix in their changelog.

The official changelog entry reads:

“Security update addressing CSRF issue in plugin settings”

Original news from SearchEngineJournal