Summary: A Missing Authorization vulnerability has been discovered in weDevs WP Project Manager, allowing attackers to exploit Access Control Security Levels that have been incorrectly configured. This security issue affected versions from n/a through 2.6.7.
Introduction
weDevs WP Project Manager is a popular WordPress plugin that allows teams to manage projects, track progress, and collaborate efficiently through a single platform. However, a security vulnerability has been discovered recently (CVE-2023-40003) that poses a potential threat to users who have installed the affected versions of the plugin. This vulnerability can allow attackers to bypass access control security levels and gain unauthorized access to project data. In this article, we will discuss the vulnerability details, exploit, and code snippets related to this issue.
Vulnerability Details
A Missing Authorization vulnerability is a security issue that can affect the confidentiality, integrity, and availability of an application. This vulnerability occurs when an application fails to implement or incorrectly implements authorization checks, allowing an attacker to perform actions that they should not be able to. The weDevs WP Project Manager versions from n/a through 2.6.7 are affected by this type of vulnerability, permitting attackers to bypass Access Control Security Levels and access sensitive project data.
Exploit
The exploit takes advantage of the missing or incorrect access control security levels configuration and abuses the AJAX API provided by the plugin. The AJAX API allows attackers to send requests to create, modify, and delete project tasks without proper authorization.
To exploit this vulnerability, an attacker can use the below code snippet
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://<target-domain>/wp-admin/admin-ajax.php";, true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("action=cpm_task_new&project_id=<valid-project-id>&list_id=<valid-task-list-id>&task=<task-text>&due=<due-date>&privacy=<privacy-setting>");
In this snippet, the attacker needs to replace <target-domain> with the victim's domain, <valid-project-id> with a valid project identifier, <valid-task-list-id> with a valid task list identifier, <task-text> with the task text, <due-date> with the due date for the task, and <privacy-setting> with the privacy setting required. This request could create, edit, or even delete tasks within the victim's project.
Original References
1. CVE-2023-40003 - National Vulnerability Database (NIST)
2. weDevs WP Project Manager Security Advisory – Official Notice
3. WP Vulnerability Database: WP Project Manager - Vulnerability Report
Mitigation
To mitigate the CVE-2023-40003 vulnerability, users should update their weDevs WP Project Manager plugin to the latest version (2.6.8 or later) that includes the security patch to address this issue. Users can also implement strong access control policies to prevent unauthorized users from exploiting this vulnerability and gaining access to sensitive project data.
In addition, users should always ensure that they are using the latest version of any WordPress plugin and regularly scan their site for vulnerabilities using a reputable vulnerability scanner.
Conclusion
The CVE-2023-40003 vulnerability in weDevs WP Project Manager poses a significant risk to users who have installed the affected versions of the plugin. Attackers can exploit this Missing Authorization vulnerability to bypass access control security levels and gain unauthorized access to sensitive project data. To protect their site and data, users should update to the latest version of the plugin and follow security best practices for WordPress site management.
Timeline
Published on: 12/13/2024 15:15:21 UTC