CVE-2023-0551: REST API TO MiniProgram WordPress Plugin - Authenticated Arbitrary Attachment Deletion
The WordPress ecosystem provides a plethora of plugins that make it easier for website developers to implement new features and increase functionality. One such plugin is the REST API TO MiniProgram, which allows developers to better integrate their websites with WeChat Mini Programs.
However, in versions up to 4.6.1, a crucial security vulnerability designated as CVE-2023-0551 has been discovered, putting a significant number of WordPress websites at risk. This long-read post will provide an in-depth analysis of this vulnerability, demonstrating a sample exploit, code snippets, and providing links to the original references. Let's dive in!
Background
The REST API TO MiniProgram plugin, as the name suggests, provides a comprehensive RESTful API that allows developers to seamlessly share data between a WordPress site and a WeChat Mini Program. The plugin is widely used in e-commerce websites and various other applications.
Vulnerability Details (CVE-2023-0551)
This vulnerability stems from improper authorization and Cross-Site Request Forgery (CSRF) checks when handling AJAX actions. Essentially, this allows any authenticated user, such as a simple subscriber, to delete arbitrary attachments from the website, leading to potential data loss and defacement.
Code Snippet
The source of this vulnerability can be traced back to the absence of proper checks for authorization and CSRF tokens in the AJAX action. The following code snippet demonstrates the vulnerable AJAX action:
function wp_ajax_nopriv_w2w_delete() {
$id = intval( $_POST['p'] );
if ( $id ) {
wp_delete_attachment( $id, true );
}
}
add_action( 'wp_ajax_w2w_delete', 'wp_ajax_nopriv_w2w_delete' );
In the above code, the AJAX action 'w2w_delete' listens for any incoming delete requests. It receives the attachment's ID and proceeds to delete it using the wp_delete_attachment() function. However, the problem lies in the fact that there are no checks for the user's role and CSRF validation.
Exploit Example
An attacker can exploit this vulnerability by crafting a simple HTTP POST request with the appropriate parameters and sending it to the server. The server will then accept the request and delete the attachment with the provided ID without verifying the authenticity of the request or the role of the user.
Here's a sample cURL request for exploiting this vulnerability
curl -X POST -d "action=w2w_delete&p=1234" https://www.vulnerable-website.com/wp-admin/admin-ajax.php
In this example, the attacker sends a POST request to the target's admin-ajax.php file with the action 'w2w_delete' and a sample attachment ID of 1234. This will cause the server to delete the attachment with the ID 1234, even if the attacker has no authorization to do so.
Original References
The vulnerability was discovered and responsibly disclosed by security researchers. You can find more information about this vulnerability along with proper credit to the discoverers in the following references:
1. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0551
2. National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2023-0551
3. WPScan Vulnerability Database: https://wpscan.com/vulnerability/6f6fb150-0983-4e5f-a94d-60adfb793d72
Mitigation & Conclusion
As an immediate measure, update the REST API TO MiniProgram plugin to the latest version to ensure that your WordPress website is not affected by this vulnerability.
If you are a plugin developer, always ensure that the proper authorization and CSRF checks are in place when handling AJAX actions or similar functionality. This way, you can help maintain a secure website environment and avoid exposing your users to critical security risks.
Timeline
Published on: 08/16/2023 12:15:00 UTC
Last modified on: 08/22/2023 16:45:00 UTC