CVE-2023-7196
📋 TL;DR
This vulnerability allows attackers to trick WordPress administrators into changing the Ultimate Noindex Nofollow Tool plugin settings without their consent. Attackers can craft malicious requests that execute when an admin visits a compromised page, potentially altering SEO settings. Only WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Ultimate Noindex Nofollow Tool WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could disable noindex/nofollow settings across the entire site, potentially exposing private content to search engines or altering SEO performance.
Likely Case
Attackers modify plugin settings to affect SEO visibility, potentially exposing content intended to be hidden from search engines.
If Mitigated
With proper CSRF protections and admin awareness, exploitation attempts would fail or be detected.
🎯 Exploit Status
Exploitation requires social engineering to trick an admin into clicking a malicious link while authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.3 or later
Vendor Advisory: https://wpscan.com/vulnerability/15ea1ffd-5a0c-422c-8c9c-7b632516a156/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Ultimate Noindex Nofollow Tool'. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched version is available
wp plugin deactivate ultimate-noindex-nofollow-tool
CSRF Protection via .htaccess
linuxAdd basic CSRF protection headers at web server level
Header set X-Frame-Options "SAMEORIGIN"
Header set Content-Security-Policy "frame-ancestors 'self'"
🧯 If You Can't Patch
- Remove the plugin entirely and use alternative SEO management tools
- Implement web application firewall rules to block CSRF attempts to plugin admin endpoints
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 1.1.2 or earlier, you are vulnerable.Check Version:
wp plugin get ultimate-noindex-nofollow-tool --field=versionVerify Fix Applied:
Verify plugin version is 1.1.3 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin.php?page=ultimate-noindex-nofollow-tool from unexpected referrers
- Admin user settings changes without corresponding admin page visits
Network Indicators:
- CSRF attack patterns with mismatched Origin/Referer headers targeting plugin admin endpoints
SIEM Query:
source="wordpress.log" AND (uri="/wp-admin/admin.php?page=ultimate-noindex-nofollow-tool" AND http_method="POST") AND NOT (referer CONTAINS "your-domain.com")