CVE-2023-34024
📋 TL;DR
This CSRF vulnerability in the WP Full Auto Tags Manager WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. Attackers can create malicious requests that execute when an admin visits a compromised page, potentially modifying plugin settings or tags. All WordPress sites using plugin versions 2.2 or earlier are affected.
💻 Affected Systems
- WordPress WP Full Auto Tags Manager plugin
📦 What is this software?
Full Auto Tags Manager by Guillemantdavid
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify plugin settings, manipulate tags across the entire site, or potentially chain with other vulnerabilities to gain administrative access or execute arbitrary code.
Likely Case
Attackers trick administrators into changing plugin configurations or tag management settings, potentially disrupting site functionality or SEO.
If Mitigated
With proper CSRF tokens and same-origin policies, the vulnerability is prevented as requests would be rejected without valid tokens.
🎯 Exploit Status
CSRF attacks are well-understood and easy to weaponize, though they require social engineering to trick authenticated users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WP Full Auto Tags Manager'. 4. Click 'Update Now' if available, or delete and reinstall latest version. 5. Verify version is 2.3 or higher.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched version is available
wp plugin deactivate wp-full-auto-tags-manager
CSRF Protection Middleware
allImplement custom CSRF protection at WordPress level
🧯 If You Can't Patch
- Implement strict same-origin policies and Content Security Policy headers
- Require re-authentication for sensitive administrative actions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins, find WP Full Auto Tags Manager and verify version is <= 2.2Check Version:
wp plugin get wp-full-auto-tags-manager --field=versionVerify Fix Applied:
After update, verify plugin version shows 2.3 or higher in WordPress admin plugins list📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin.php?page=wp-full-auto-tags-manager from unexpected referrers
- Multiple failed CSRF token validations
Network Indicators:
- HTTP requests with missing or invalid nonce parameters to plugin endpoints
- Requests with suspicious referrer headers
SIEM Query:
source="wordpress.log" AND ("wp-full-auto-tags-manager" OR "admin.php?page=wp-full-auto-tags-manager") AND (http_method=POST)🔗 References
- https://patchstack.com/database/vulnerability/wp-full-auto-tags-manager/wordpress-wp-full-auto-tags-manager-plugin-2-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/wp-full-auto-tags-manager/wordpress-wp-full-auto-tags-manager-plugin-2-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
