It has been discovered that the FULL - Customer Plugin for WordPress (commonly used by website owners to manage user accounts, product and order details) is vulnerable to Information Disclosure in its REST API's /health route in versions up to and including 2.2.3. This vulnerability could potentially allow an attacker with at least subscriber-level permissions to access sensitive information about the website's configuration, such as plugin and theme details, WordPress core information, and other site-specific data that should not be publicly exposed.
Exploit Details
The root cause of this vulnerability lies in the improper authorization conducted by the FULL - Customer plugin for WordPress, specifically in the way it handles the /health route within its REST API. This means that an attacker would not need elevated permissions to access sensitive information about the site configuration. To exploit this vulnerability, an attacker would simply need subscriber-level access to the website and the knowledge of the proper REST API route.
An example of the code handling this vulnerability (in PHP) is as follows
add_action( 'rest_api_init', function () {
register_rest_route( 'full-customer-plugin/v2', '/health', array(
'methods' => 'GET',
'callback' => 'get_health_check_data',
'permission_callback' => 'allow_full_customer_plugin_subscriber_access'
) );
} );
function get_health_check_data( WP_REST_Request $request ) {
// ...code that gathers sensitive data and returns it as JSON...
}
function allow_full_customer_plugin_subscriber_access() {
return current_user_can( 'read' ); // Vulnerable authorization check: any logged-in user can read.
}
As you can see, there is no proper validation of the user's role or capability during the permission check in the allow_full_customer_plugin_subscriber_access() function. It simply grants the required permission to anyone who can read, which includes users with subscriber-level access.
The sensitive information obtained through this vulnerability could potentially lead to further exploitation, such as gaining unauthorized access to administrator accounts, manipulating data on the website, or launching other security attacks.
For more information about this vulnerability, please refer to the following links
1. The official CVE entry for this vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4242
2. The associated National Vulnerability Database (NVD) entry: https://nvd.nist.gov/vuln/detail/CVE-2023-4242
Mitigation
To address this vulnerability, plugin users should update the FULL - Customer plugin for WordPress to version 2.2.4 or higher, which has resolved this security issue. If updating the plugin is not possible, website administrators should consider disabling the plugin until the issue can be properly fixed.
Conclusion
In conclusion, the Information Disclosure vulnerability discovered in the FULL - Customer plugin for WordPress (CVE-2023-4242) highlights the need for developers to implement proper access control measures when creating REST API services. This is particularly important when the API is responsible for retrieving and managing sensitive information. As a user of the plugin, it is crucial to stay informed about new vulnerabilities and the associated security patches available.
Timeline
Published on: 08/09/2023 04:15:00 UTC
Last modified on: 08/14/2023 15:27:00 UTC