What is Cross-Site Request Forgery?

Let’s talk about Cross-Site Request Forgery. It’s a common security vulnerability that might have affected your website as well. In fact, according to the 2022 State of WordPress Security Report, Cross-Site Request Forgery was the most prevalent vulnerability type found in WordPress plugins. In 2023, it ranked second.

While Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) may sound similar, they are distinct vulnerabilities. Moreover, when combined, they can create a much more dangerous threat. To ensure you don’t fall victim to this, let’s dive into what CSRF is and why it happens.

What causes a Cross-Site Request Forgery (CSRF vulnerability?

Cross-Site Request Forgery occurs due to the absence of CSRF tokens (also known as nonces in WordPress). These unique tokens are generated by the server and are associated with the user’s session. For example, each time a form is submitted, the server checks whether the submitted token matches the expected nonce value. If a WordPress plugin or theme does not implement CSRF tokens properly, it becomes vulnerable to CSRF attacks.

In some cases, developers may also forget to include checks that verify the user’s intent to perform a particular action. If such checks are missing, an attacker could craft a request that appears legitimate to the server but is actually initiated by the attacker.

What can happen if your WordPress website has an CSRF vulnerability?

If your website is vulnerable to CSRF, an attacker can trick a logged-in user into requesting a URL that performs some kind of privileged action on the website. Such actions can include changing site settings (such as enabling user registration), modifying content, and more.

CSRF is rarely exploited actively in the wild because it requires a privileged user to be tricked into clicking on a link that includes instructions to perform some kind of meaningful action. To execute such attacks, hackers often need to combine them with social engineering tactics. The high complexity and generally low impact make this vulnerability type less attractive to hackers.

However, if your site is also vulnerable to Cross-Site Scripting (XSS), it’s a different story. Since an XSS vulnerability allows attackers to inject arbitrary code into pages on the compromised website, the attacker can now perform a CSRF attack without any user interaction. Given that XSS and CSRF are the top two most common vulnerability types found in the WordPress ecosystem, CSRF should be taken very seriously.

What can WordPress developers do to avoid CSRF vulnerabilities?

WordPress provides several functions that plugin and theme developers can use to avoid CSRF vulnerabilities. Developers can use the wp_create_nonce function to generate the nonce token. They can then verify nonces with wp_verify_nonce or use check_admin_referer, which automatically exits the script if no nonce token can be validated. It’s important to ensure the nonce check is properly implemented so that it cannot be bypassed due to flawed logic.

WordPress admins can avoid CSRF by being cautious when clicking on suspicious links that lead to their own website, particularly those directing to /wp-admin/. Monitor your website for potential vulnerabilities and pay extra attention to preventing XSS and CSRF vulnerabilities from being present simultaneously.

Conclusion

Cross-Site Request Forgery (CSRF) is a significant security threat that can lead to unauthorized actions on your WordPress site if left unaddressed. Although it may not be as commonly exploited as other vulnerabilities, its potential impact, especially when combined with Cross-Site Scripting (XSS), makes it crucial for WordPress developers and administrators to implement proper security measures.