CVE-2023-25714 - Missing Authorization Vulnerability in Fullworks Quick Paypal Payments Allows Exploiting Incorrectly Configured Access Control Security Levels

A newly discovered vulnerability in Fullworks Quick Paypal Payments (QPP) plugin can potentially expose a user's sensitive information to unauthorized third parties. This post will discuss the details of the CVE-2023-25714 vulnerability, including the affected versions, a code snippet showcasing the area of vulnerability, and references to the original sources. The post will also provide an overview of the exploit details and the steps to mitigate this vulnerability.

The vulnerability affects the following versions of the Quick Paypal Payments plugin

- Quick Paypal Payments: from n/a through 5.7.25

Vulnerability Details

The vulnerability (CVE-2023-25714) exists due to missing authorization checks in the plugin's admin settings page, where the plugin fails to enforce proper access control security levels. This allows any authenticated user, including those with minimal privileges (i.e., subscribers), to make changes to the plugin settings, potentially compromising sensitive information and the integrity of the website itself.

Code Snippet

Here is a simple PHP code snippet showcasing the affected area of the plugin, where the verification of user privileges is missing.

function qp_quick_plugin_options() { 
    $qp_options = get_option('qp_quick_options');
    if (!empty($_POST) && check_admin_referer('qp_update','qp_quick_update') ) {
        ...
        update_option('qp_quick_options', $qp_options); 
        ...
    }
}

The above code snippet reveals that the qp_quick_plugin_options() function processes an update to the plugin settings without checking the user's privileges level. This bypasses the security checks and allows unauthorized users to exploit the vulnerability.

For more details about the vulnerability, you can refer to the following links

1. CVE Official Page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25714
2. Fullworks Official Website: https://fullworks.net/
3. Wordpress Plugin Repository: https://wordpress.org/plugins/quick-paypal-payments/

Exploit Details

A user with malicious intent and minimal privileges, such as a basic subscriber who has the ability to login to the WordPress dashboard, can exploit this vulnerability by sending a crafted HTTP POST request. This can cause unauthorized changes on the plugin's settings. For instance, the attacker can enter their own PayPal email address to manipulate transaction processing and direct funds to their account.

To mitigate this vulnerability, users should apply the following steps

1. Update your Quick Paypal Payments plugin to the latest version (5.7.26 or above), which resolves this security issue.
2. Ensure proper user roles and privileges assignment to different users on your WordPress site. Limit access to admin settings only for authorized users with higher privileges (e.g., administrators).
3. Regularly monitor your website logs to identify any suspicious activities and quickly address any potential security breaches.

Conclusion

CVE-2023-25714 is a serious security vulnerability in the Fullworks Quick Paypal Payments plugin that allows attackers to exploit the mistakenly configured access control security levels. Users should update their plugin to the latest version and follow best security practices to protect sensitive information and maintain site integrity.

Timeline

Published on: 12/09/2024 13:15:23 UTC