CVE-2023-45002: Missing Authorization Vulnerability in WeDevs WP User Frontend Allows Exploiting Incorrectly Configured Access Control Security Levels

The Common Vulnerabilities and Exposures (CVE) system provides a reference for publicly disclosed cybersecurity threats. In this post, we will discuss a newly discovered vulnerability (CVE-2023-45002) affecting the popular WordPress plugin "weDevs - WP User Frontend" from version N/A through 3.6.8. This issue is characterized by a missing authorization vulnerability, leading to incorrectly configured access control security levels.

We will provide the necessary information, code snippets, and original references to help understand, detect, and mitigate this vulnerability.

Description of the Vulnerability

The weDevs WP User Frontend plugin allows developers to create user registration, profile management, and post submission forms from within the WordPress admin backend. This vulnerability exists was due to a missing authorization check in the plugin, resulting in incorrectly configured access control security levels.

An authenticated user with low-level access (e.g., a subscriber role in WordPress) can exploit this vulnerability to escalate their privileges, giving them unauthorized access to restricted resources and allowing them to perform sensitive operations that were not intended by the site administrator.

The following code snippet demonstrates the missing authorization check

// File: wp-user-frontend/includes/class-expiration.php
public function save_subscription($order_id) {
    ...
    if ($status == 'completed') {
        $user = get_user_by('email', $billing_email);
        ...
        $subs = new stdClass;
        ...
        $subs->expire = $expire;
        update_user_meta($user->id, '_wpuf_subscription_pack', $subs);
        ...
    }
}

The save_subscription function handles the processing of user subscription changes and updates the associated user metadata. As shown in the code snippet, there is no access control mechanism validating the user privileges before updating the user's subscription metadata.

Exploit Details

An attacker can exploit this vulnerability by sending a crafted HTTP request with the required user data to manipulate the user's subscription metadata. This can be done using an HTTP client such as cURL or a web browser with a proxy to intercept and modify the request. For example:

The attacker modifies the request, including the order_id, billing_email, and other user data.

4. The attacker sends the modified request, tricking the server into updating their subscription metadata and granting unauthorized access to restricted resources.

Mitigation and Recommendations

To mitigate this vulnerability, site administrators using the affected versions of weDevs WP User Frontend should update the plugin to the latest version. As of the time of writing, the plugin authors have not released an updated version that addresses this issue. Therefore, admins should monitor the official GitHub page for updates and apply patches as they become available.

Conclusion

The CVE-2023-45002 vulnerability demonstrates the importance of proper access control implementation and maintaining up-to-date software. By following the recommendations listed above, site administrators can mitigate this risk and better secure their WordPress installations. Stay informed about the latest threats and vulnerabilities to ensure your site remains as secure as possible.

Timeline

Published on: 01/02/2025 12:15:08 UTC