CVE-2023-5934
📋 TL;DR
This CSRF vulnerability in the Travelpayouts WordPress plugin allows attackers to trick logged-in administrators into unknowingly changing plugin settings. Attackers can craft malicious web pages that, when visited by an admin, automatically submit requests to modify plugin configurations. Only WordPress sites using vulnerable versions of this specific plugin are affected.
💻 Affected Systems
- Travelpayouts: All Travel Brands in One Place WordPress plugin
📦 What is this software?
Travelpayouts by Travelpayouts
⚠️ Risk & Real-World Impact
Worst Case
Attackers could reconfigure the plugin to redirect legitimate traffic, inject malicious content, or disable security features, potentially leading to site compromise or data leakage.
Likely Case
Attackers modify plugin settings to display malicious ads, redirect users to phishing sites, or change affiliate tracking codes to steal commissions.
If Mitigated
With proper CSRF protections and admin awareness, successful exploitation requires convincing an admin to visit a malicious page while authenticated, making attacks less likely.
🎯 Exploit Status
CSRF attacks are well-understood and easy to implement. Exploitation requires social engineering to get an admin to visit a malicious page.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.13
Vendor Advisory: https://wpscan.com/vulnerability/2a45cdba-df41-457e-bff9-2d6d89776dd0/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Travelpayouts: All Travel Brands in One Place'. 4. Click 'Update Now' if available, or download version 1.1.13+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
CSRF Protection via WordPress Nonce
allAdd CSRF protection to the import settings functionality by implementing WordPress nonce verification
Requires code modification: Add wp_verify_nonce() check before processing import requests
Disable Plugin
linuxTemporarily disable the vulnerable plugin until patched
wp plugin deactivate travelpayouts
🧯 If You Can't Patch
- Implement strict access controls limiting admin panel access to trusted networks only
- Use browser extensions that block CSRF attempts or enforce same-origin policies
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Travelpayouts plugin version. If version is below 1.1.13, you are vulnerable.Check Version:
wp plugin get travelpayouts --field=versionVerify Fix Applied:
Verify plugin version is 1.1.13 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=travelpayouts_import_settings from unexpected referrers
- Multiple failed import attempts from different IPs
Network Indicators:
- HTTP requests with suspicious Referer headers pointing to external domains
- Unexpected configuration changes without corresponding admin activity logs
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters.action="travelpayouts_import_settings") AND NOT referer CONTAINS "your-domain.com"