In a recent round of intensive plugin testing, a concerning security flaw has come to light. The All Users Messenger plugin, a widely used communication tool for WordPress, harbors a significant Insecure Direct Object Reference (IDOR) vulnerability.

Main info:

PluginAll Users Messenger
Publicly PublishedAugust 7, 2023
Last UpdatedAugust 7, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A5: Broken Access Control
ExploitWill be later
Plugin Security Certification by CleanTalk


July 25, 2023Plugin testing and vulnerability detection in the Simple Blog Card plugin have been completed
July 25, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
July 26, 2023The author closed his plugin and did not fix the vulnerability
August 7, 2023Registered CVE-2023-4023

Discovery of the Vulnerability

During a meticulous examination of the All Users Messenger plugin for WordPress, an internal vulnerability was unearthed, specifically affecting versions up to 1.24. The vulnerability involves a significant oversight that permits non-administrator users to delete messages from the all-users messenger, potentially leading to unauthorized data manipulation.

Understanding of IDOR (Insecure Direct Object Reference)

Insecure Direct Object Reference (IDOR) is a security vulnerability that arises when an application does not sufficiently verify user access rights before allowing access to certain resources or functionalities. In the case of the All Users Messenger plugin, the absence of proper access checks enables unauthorized users to delete messages that they should not have permission to manipulate.

Exploiting the IDOR (Insecure Direct Object Reference) vulnerability

By leveraging the lack of adequate access control, a non-administrator user with subscriber-level privileges can manipulate the plugin’s message deletion functionality to remove messages that belong to other users. This can potentially disrupt communication, lead to data loss, and compromise the integrity of the messaging system.

POC request:

POST /wordpress/index.php?rest_route=%2Frf%2Fall_users_messenger_view_api%2Ftoken&_locale=user HTTP/1.1
Host: your_host
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, /;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://your_host/wordpress/wp-admin/admin.php?page=AllUsersMessenger
X-WP-Nonce: 5e42638171
Content-Type: application/json
Origin: http://your_host
Content-Length: 81
Connection: close
Cookie: cookie of low privilege user
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin


This shortcode can be inserted into a new post

Potential Risks and Real-World Impact

A subscriber-level user is able to exploit this vulnerability by tampering with message deletion requests, allowing them to delete messages from the all-users messenger that they should not have the authority to modify.

  1. Unauthorized Data Manipulation:
    Attackers could maliciously delete important messages, leading to information loss and potential disruption of communication among users.
  2. Privacy Breach:
    Sensitive or private messages could be deleted by unauthorized users, potentially violating user privacy and confidentiality.
  3. Content Tampering:
    By exploiting the vulnerability, attackers might alter or delete critical messages, affecting the authenticity and reliability of communication.

Recommendations for Improved Security

To mitigate the risks associated with this vulnerability and enhance overall security, the following measures are strongly advised:

  • Immediate Plugin Delete:
    Website administrators should delete the All Users Messenger
  • Access Control Validation:
    Developers should conduct rigorous access control checks to ensure that users have the appropriate authorization before allowing them to modify or delete messages.
  • Regular Security Audits:
    Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
  • User Privilege Restriction:
    Implement strict access controls to ensure that users can only access information that they are authorized to view based on their roles and permissions.
  • Least Privilege Principle:
    Implement the principle of least privilege, granting users only the permissions necessary for their intended tasks.

By addressing the IDOR vulnerability in the All Users Messenger plugin and adopting these security recommendations, website owners can fortify their messaging systems, preserve data integrity, and create a safer environment for communication among users.

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.

Check my website

CVE-2023-4023 – All Users Messenger <= 1.24 - Subscriber + Message Deletion via IDOR

Leave a Reply

Your email address will not be published. Required fields are marked *