Jose Mortellaro Freesoul Deactivate Plugins – Plugin Manager and Cleanup is a popular WordPress plugin designed to help website owners manage their plugins with increased efficiency. It allows you to enable or disable plugins for specific pages or posts, making it easier to clean up unused or unnecessary plugins without affecting the performance of your website. Unfortunately, a serious security vulnerability has been discovered in versions of the plugin up to and including version 2.1.3. This vulnerability is classified as CVE-2023-46188 and is considered to be a high-risk issue that should be urgently addressed.

Description

The CVE-2023-46188 vulnerability is a Missing Authorization issue that allows attackers to exploit improperly configured Access Control levels in the Freesoul Deactivate Plugins – Plugin Manager and Cleanup. In other words, this vulnerability allows attackers to enable or disable plugins without proper authorization, potentially compromising the integrity of your website or even gaining unauthorized access to sensitive data.

This vulnerability affects Freesoul Deactivate Plugins – Plugin Manager and Cleanup versions up to and including 2.1.3.

Here is an example of a code snippet that illustrates how this vulnerability can be exploited

$slug = "freesoul_deactivate_plugins";
if ( ! current_user_can( 'manage_options' ) && ( is_plugin_active( plugin_roles()->plugin ) || is_plugin_active_for_network( plugin_roles()->plugin ) ) ) {
    if ( current_user_can( 'plugin_roles_manager' ) && isset( $_GET["page"] ) && $slug === $_GET["page"] ) {
        wp_die( __( 'Sorry, you are not allowed to access this page.' ), 403 );
    }
}

The vulnerability can be triggered by an attacker sending a crafted HTTP request to the target WordPress site, which will allow improper access to the plugin's settings.

Exploit Details

The vulnerability outlined by CVE-2023-46188 can be exploited through specifically crafted payloads or attacks on improperly secured WordPress sites. The exploit requires the attacker to force the target website to process requests that allow unauthorized access or modification of plugins on the site, potentially leading to reduced functionality or even complete control of the site.

Please find more details on CVE-2023-46188 and related vulnerabilities in the official CVE database and in the WordPress plugin disclosure here:
- CVE database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46188
- WordPress plugin disclosure: https://wpscan.com/vulnerability/b281084-33d4-414e-aa82-3ab6b9762075

Mitigation

To protect your WordPress site from CVE-2023-46188, it is strongly recommended that you take the following steps:

1. Update your Freesoul Deactivate Plugins – Plugin Manager and Cleanup to the latest version (2.1.4 or later) to remediate the vulnerability.
2. Strengthen your WordPress access control settings, ensuring that only trusted users have permission to modify plugins or access sensitive areas of your site.
3. Regularly review and monitor your site's security logs to identify potential unauthorized access attempts or other security events.

Conclusion

The CVE-2023-46188 vulnerability in Jose Mortellaro Freesoul Deactivate Plugins – Plugin Manager and Cleanup is a high-risk issue that requires urgent attention. Updating the plugin to the latest version and actively monitoring your site's security are essential steps in ensuring the continued safety and integrity of your WordPress site.

Timeline

Published on: 01/02/2025 12:15:11 UTC