CVE-2023-47237 – This CSRF vulnerability in the Auto Publish for... (How to Fix)

Q: What is the severity of CVE-2023-47237?

CVE-2023-47237 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in the Auto Publish for Google My Business WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. Attackers can force admins to change plugin settings or potentially connect malicious Google accounts when they visit specially crafted pages. WordPress sites using vulnerable plugin versions are affected.

📋 TL;DR

This CSRF vulnerability in the Auto Publish for Google My Business WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. Attackers can force admins to change plugin settings or potentially connect malicious Google accounts when they visit specially crafted pages. WordPress sites using vulnerable plugin versions are affected.

💻 Affected Systems

Products:

Auto Publish for Google My Business WordPress plugin

Versions: <= 3.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress admin to be logged in and visit malicious page while authenticated.

📦 What is this software?

Auto Publish For Google My Business by Auto Publish For Google My Business Project

View all CVEs affecting Auto Publish For Google My Business →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could connect malicious Google accounts to the site, potentially enabling content manipulation, data exfiltration, or using the site's Google My Business account for malicious purposes.

🟠

Likely Case

Attackers modify plugin settings, disrupt Google My Business integration, or force unwanted content publication.

🟢

If Mitigated

With proper CSRF protections and admin awareness, exploitation attempts fail or have minimal impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF exploits are typically simple to weaponize once details are known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 3.7

Vendor Advisory: https://patchstack.com/database/vulnerability/wp-google-my-business-auto-publish/wordpress-auto-publish-for-google-my-business-plugin-3-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Auto Publish for Google My Business'. 4. Click 'Update Now' if available. 5. If no update appears, manually download latest version from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched.

wp plugin deactivate wp-google-my-business-auto-publish

🧯 If You Can't Patch

Implement CSRF tokens manually in plugin code or use WordPress security plugins that add CSRF protection.
Restrict admin access to trusted networks only and educate administrators about CSRF risks.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Auto Publish for Google My Business → Version. If version is 3.7 or lower, you are vulnerable.

Check Version:

wp plugin get wp-google-my-business-auto-publish --field=version

Verify Fix Applied:

After update, verify plugin version is higher than 3.7 in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual plugin setting changes in WordPress logs
Multiple failed CSRF token validations

Network Indicators:

HTTP POST requests to plugin admin endpoints without proper referrer headers

SIEM Query:

source="wordpress" AND (plugin="wp-google-my-business-auto-publish" AND action="update")

📊 Metadata

CVE ID: CVE-2023-47237

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: November 9, 2023

Last Updated: February 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-47237, you might also want to check these: