CVE-2023-47820 - Missing Authorization Vulnerability in CRUDLab WP Like Button, Exploiting Incorrectly Configured Access Control Security Levels

In today's post, we will take an in-depth look at a recently discovered security vulnerability, CVE-2023-47820, affecting CRUDLab WP Like Button from n/a through version 1.7., which allows remote attackers to exploit incorrectly configured access control security levels. This missing authorization issue has widespread implications for website administrators, potentially resulting in unauthorized access and tampering with user data.

Affected Versions

- WP Like Button: From n/a through 1.7.

Description

CVE-2023-47820 refers to a missing authorization vulnerability in CRUDLab WP Like Button, where a lack of proper authorization checks on sensitive operations (e.g., data reading, writing, deleting) makes it possible for attackers to bypass the intended access control system. This can lead to unauthorized actions such as modification of critical website settings and manipulation of user data.

Researchers have discovered this vulnerability in CRUDLab WP Like Button versions up to and including 1.7.. The developers have since patched the vulnerability, with the release of CRUDLab WP Like Button 1.7.1.

Details

The vulnerability exists due to insufficient access control checks applied by the WP Like Button plugin. An attacker with an unprivileged account can perform actions that are not intended by the system administrator. This results in potential unauthorized changes to the affected website or leaked sensitive data.

Consider the following WordPress code snippet demonstrating the vulnerability

add_action('wp_ajax_nopriv_wp_like_button_controller', 'wp_like_button::controller');
add_action('wp_ajax_wp_like_button_controller', 'wp_like_button::controller');

The preceding code snippet demonstrates the issue in the WP Like Button plugin, where it adds AJAX actions for both authorized (logged-in) and unauthorized (non-logged-in) users. As a result, any user can execute the 'wp_like_button::controller' method, even without proper authorization.

Exploit

To exploit this vulnerability, an attacker can use an HTTP request to trigger the vulnerable function, leading to unauthorized actions. For example, the following curl command can be used to exploit this vulnerability:

curl -X POST 'https://example.com/wp-admin/admin-ajax.php'; -d 'action=wp_like_button_controller&task=[some_task_here]'

Replace 'example.com' with the target website and '[some_task_here]' with the desired operation.

Mitigation

To mitigate this vulnerability, website administrators running affected versions of the plugin are strongly encouraged to update to the latest available version of CRUDLab WP Like Button, which is currently 1.7.1.

Conclusion

CVE-2023-47820 is a missing authorization vulnerability that affects the CRUDLab WP Like Button plugin, potentially allowing attackers to exploit weak access control configurations. For website administrators using the WP Like Button plugin, it is crucial to update to the latest version as soon as possible to prevent potential attacks.

Original References

- National Vulnerability Database (NVD): CVE-2023-47820 Information
- WP Vulnerability DB: CRUDLab WP Like Button - Missing Authorization including 1.7.
- CRUDLab: WP Like Button Changelog - Fixes in 1.7.1

Timeline

Published on: 12/09/2024 13:15:31 UTC