Fast & Fancy Filter – 3F <= 1.2.2 - Cross-Site Request Forgery to Settings Modification via fff_save_settins AJAX Action

This research plan targets CVE-2026-6396, a Cross-Site Request Forgery (CSRF) vulnerability in the Fast & Fancy Filter – 3F plugin (versions <= 1.2.2). The vulnerability allows an attacker to modify plugin settings or potentially update arbitrary WordPress options due to missing nonce verification in the AJAX handler for fff_save_settins.

---

1. Vulnerability Summary

• Vulnerability: Cross-Site Request Forgery (CSRF)
• Vulnerable Action: fff_save_settins (Note the spelling: "settins")
• Vulnerable Function: saveFields()
• Nature of Flaw: The saveFields function handles AJAX requests to update plugin configurations but fails to implement check_ajax_referer() or wp_verify_nonce().
• Impact: An unauthenticated attacker can trick a logged-in administrator into visiting a malicious site that triggers a background request to the vulnerable WordPress site, leading to unauthorized configuration changes or creation of filter posts.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: fff_save_settins
• HTTP Method: POST
• Authentication: Requires an active administrator session (leveraged via CSRF).
• Preconditions: The attacker must trick an administrator into clicking a link or visiting a page they control.
• Vulnerable Parameter: Likely a serialized array or multiple POST fields representing settings/fields to be updated.

3. Code Flow (Inferred from Description)

1. Registration: The plugin registers the AJAX action using:
   add_action('wp_ajax_fff_save_settins', 'saveFields');
2. Trigger: An administrator's browser sends a POST request to admin-ajax.php with action=fff_save_settins.
3. Execution: The saveFields() function is invoked.
4. Processing:
   • The function likely extracts data from $_POST.
   • It may use update_option() to save settings or wp_insert_post() to create/update filter objects.
   • Crucially: It skips any call to check_ajax_referer() or wp_verify_nonce(), allowing the request to proceed as long as the user is authenticated (which wp_ajax_ handles automatically).

4. Nonce Acquisition Strategy

According to the vulnerability report, no nonce verification is present. Therefore, no nonce is required to exploit this vulnerability. The attack succeeds purely based on the administrator's session cookies.

5. Exploitation Strategy

To demonstrate the CSRF, the agent will simulate an administrator performing a request that was forged by a third party.

Step 1: Locate the AJAX Handler and Parameters
Before the exploit, identify the exact parameters expected by saveFields.

• Search for the string fff_save_settins in the plugin directory.
• Analyze the saveFields function to see which $_POST keys are used (e.g., fff_data, fields, id, etc.).

Step 2: Construct the CSRF Payload
Assuming the plugin saves settings via a parameter named settings_data (inferred):

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Content-Type: application/x-www-form-urlencoded
• Body: action=fff_save_settins&[IDENTIFIED_PARAMETER]=[MALICIOUS_VALUE]

Step 3: Execution via Agent
The agent will use http_request with the administrator's cookies to simulate the victim admin being CSRF'd.

6. Test Data Setup

1. Install Plugin: Ensure fast-fancy-filter-3f version <= 1.2.2 is active.
2. Create Admin User: Ensure a user with administrator role exists (default admin).
3. Identify Target Option: Determine which option the plugin updates (e.g., fff_settings or fff_filter_config). Note its current value using WP-CLI.

7. Expected Results

• The admin-ajax.php request should return a 200 OK status and potentially a success message (e.g., {"success":true} or 1).
• The database state for the plugin's settings should change to reflect the attacker's payload.

8. Verification Steps

After performing the HTTP request, use WP-CLI to verify the change:

# Check if a specific plugin option was changed
wp option get [OPTION_NAME_FOUND_IN_STEP_1]

# If the vulnerability allows arbitrary option updates (as suggested):
wp option get blogname # Check if it was changed to 'Hacked'

9. Alternative Approaches

If the plugin uses wp_insert_post instead of update_option:

• Payload: action=fff_save_settins&post_title=Malicious+Filter&post_status=publish&post_type=fff_filter (inferred type).
• Verification: wp post list --post_type=fff_filter to see if a new post was created.

If the AJAX action is wp_ajax_nopriv_fff_save_settins (unlikely for settings, but possible), the attack would not even require CSRF and could be performed directly.

---

Step-by-Step Execution Plan for Agent:

1. Scan Source:
   grep -rn "fff_save_settins" /var/www/html/wp-content/plugins/fast-fancy-filter-3f/
2. Identify Handler: Locate the saveFields function in the file identified in step 1.
3. Extract Parameters: Read the code of saveFields to find exactly how it saves data. Look for update_option or wp_insert_post.
4. Baseline Check:
   wp option get [OPTION_NAME]
5. Simulate CSRF:
   Use http_request to POST to admin-ajax.php with the administrator's cookies and the fff_save_settins action.
6. Final Verification:
   wp option get [OPTION_NAME] and confirm the value matches the payload.