CVE-2023-46628: Missing Authorization Vulnerability in RedLettuce Plugins WP Word Count Allows Exploiting Incorrectly Configured Access Control Security Levels

In today's era, cybersecurity is of utmost importance, especially when it comes to web applications. A common vulnerability plaguing website administrators and users alike is improper access control, which can allow attackers to gain unauthorized access to sensitive information. Recently, a critical vulnerability has been discovered in RedLettuce Plugins WP Word Count, a popular WordPress plugin. This vulnerability, with the CVE identifier CVE-2023-46628, has serious implications for website owners and their users. In this post, we will discuss the technical details of this vulnerability, including the affected versions and potential exploit scenarios.

Affected Versions

This issue affects WP Word Count versions from n/a through 3.2.4.

Technical Background

The WP Word Count plugin from RedLettuce Plugins is a widely-used plugin for WordPress websites, providing users with word count statistics for their posts and pages. CVE-2023-46628 describes a missing authorization vulnerability in the plugin, which may allow attackers to exploit poorly configured access control settings. This vulnerability is caused by the plugin's insufficient validation of user permissions, enabling unauthorized users to view or manipulate others' word count data.

The missing authorization check occurs in the 'wp-word-count/includes/page-stats.php' file

function wpwc_page_stats() {
  ...
  if (!current_user_can('read')) {
    wp_die(__('You do not have sufficient permissions to access this page.'));
  }
  ...
}

The code snippet above shows the plugin's attempt to verify whether the current user has the necessary 'read' permission. However, the 'read' permission level is not sufficient to secure sensitive word count data. Instead, a higher level of access control, such as 'manage_options', should be employed.

Exploit Details

An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable website, bypassing the insufficient access control checks. The attacker can then view other users' word count statistics and potentially manipulate their data.

Mitigation

To prevent exploitation of this vulnerability, users are advised to update their WP Word Count plugin to the latest version, which addresses the issue. An alternative solution is to modify the 'wpwc_page_stats()' function in the 'wp-word-count/includes/page-stats.php' file, replacing the 'read' permission level with a more restrictive level.

function wpwc_page_stats() {
  ...
  if (!current_user_can('manage_options')) {
    wp_die(__('You do not have sufficient permissions to access this page.'));
  }
  ...
}

Original References

For more information on this vulnerability, including its CVE record and related discussions, please refer to the following links:

1. CVE-2023-46628
2. RedLettuce Plugins WP Word Count

Conclusion

Securing web applications and their associated plugins is a top priority for organizations and individuals alike. The CVE-2023-46628 vulnerability demonstrates the risks posed by insufficient access control checks in plugins like WP Word Count. By updating to the latest version or implementing suggested code changes, WordPress users can protect their website and its sensitive word count data from unauthorized access.

Timeline

Published on: 01/02/2025 12:15:13 UTC