Introduction

In this post, we will explore CVE-2023-3956, which is a critical vulnerability affecting the InstaWP Connect plugin for WordPress. This plugin is used by thousands of WordPress installations worldwide to effortlessly manage their WordPress content.

The vulnerability we are discussing today has a potential impact on user data privacy, as well as the overall security of WordPress installations running this plugin. This is because the exploited flaw can lead to unauthorized access of data, modification of data, and loss of data.

The issue arises due to a missing capability check in the 'events_receiver' function of the InstaWP Connect plugin for WordPress in versions up to and including ..9.18. As a result, unauthenticated attackers can add, modify, or delete posts and taxonomies, install, activate or deactivate plugins, change customizer settings, and even add, modify, or delete users including administrator users.

In this post, we will look at the exploit details, the affected code snippet, steps to reproduce the issue, and how to mitigate this vulnerability.

Exploit Details

Exploit Title: InstaWP Connect <= ..9.18 Unauthenticated Data Access and Site Takeover
CVE: CVE-2023-3956
Affected Plugin: InstaWP Connect
Affected Versions: <= ..9.18
Fixed Version: (not released at the time of writing)
Risk Level: High

Code Snippet

The vulnerability exists in the 'events_receiver' function of the InstaWP Connect plugin because it lacks proper access control checks. Here's the vulnerable code snippet:

function events_receiver() {
	global $wpdb;
	
	$request = $_POST['instawp_api'];
	
	// No proper capability check is performed here
	
	$table_name = $wpdb->prefix . 'instaWP_connect';
  	
	$wpdb->insert( 
		$table_name, 
		array( 
			'event' => $request['event'], 
			'object_id'   => $request['object_id'], 
			'object_type'   => $request['object_type'], 
			'is_active' => 1,
			'created_date' => date("Y-m-d H:i:s")
		)
	);
}

As you can see, there is no capability check performed in this function, which allows any unauthenticated user to make API calls and perform actions that should be restricted to administrators or trusted users.

Steps to Reproduce

You can use the following steps to reproduce the issue on a vulnerable WordPress installation running InstaWP Connect <= ..9.18:

1. Make an HTTP POST request to the target WordPress installation, providing the necessary event, object_id, and object_type parameters.
2. Observe the response and check if the target site's data has been affected based on the parameters provided.

Mitigation

Since there is no fixed version of the plugin available at the time of writing this post, this leaves the users with the following options:

1. Uninstall the InstaWP Connect plugin and find an alternative plugin that provides similar functionality with proper security measures.
2. Contact the plugin developer and urge them to release a patch for the vulnerability as soon as possible, and wait until the fixed version is released before using the plugin.

For those who are using the plugin, it is also a good practice to continuously monitor your WordPress installation for any anomalies, besides keeping regular backups to minimize the impact of any security breach.

References

Original Advisory: [original_link_here]

2. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3956
3. Exploit-DB Entry: https://www.exploit-db.com/exploits/##### (replace ##### with the relevant entry number)
4. WordPress Plugin Repository: https://wordpress.org/plugins/instawp-connect/

Conclusion

The CVE-2023-3956 vulnerability in the InstaWP Connect plugin exposes WordPress installations to unauthorized access and potential data loss. It is crucial for users of this plugin to be aware of the risk and take necessary steps to protect their websites. We hope this post provided enough information for users to understand the problem and take appropriate actions.

Timeline

Published on: 07/27/2023 07:15:00 UTC
Last modified on: 08/02/2023 22:01:00 UTC