In this extensive post, we will be discussing a recently discovered vulnerability, CVE-2022-3511, in the Awesome Support WordPress plugin (versions before 6.1.2). This security flaw allows low privileged users (e.g., subscribers) to gain unauthorized access to exported ticket archives, by exploiting an Insecure Direct Object Reference (IDOR) vector. We will be covering the following topics:
Original references for further reading.
Before we dive in, let's get familiar with the Awesome Support plugin and the affected versions.
Background
The Awesome Support WordPress plugin is a widely popular helpdesk and support tool. It is designed for managing user inquiries through an intuitive ticketing system. The vulnerability in question, CVE-2022-3511, affects the Awesome Support plugin versions prior to 6.1.2.
Understanding the Vulnerability
The CVE-2022-3511 vulnerability revolves around a functionality within the Awesome Support plugin, which allows users to export tickets into an archive file for download. The plugin does not adequately validate if the user requesting the exported tickets archive is the rightful owner, resulting in an Insecure Direct Object Reference (IDOR) vulnerability.
Reproducing the Exploit
For those who want to understand and reproduce the vulnerability, we have outlined the steps below. Please note that this is for educational purposes only and should not be used for malicious intent.
Step 1: Identify the target WordPress website using the Awesome Support plugin version lower than 6.1.2.
Step 2: Register an account with minimal privileges (e.g., subscriber) or log in if you already have one.
Step 3: Install an interception tool (such as Burp Suite) to intercept and modify HTTP requests.
Step 4: Export a ticket archive using an authorized account (e.g., the admin account). Take note of the archive's unique ID.
Step 5: With your low-privileged account, attempt to download the exported ticket archive: Navigate to the download page and inspect the HTTP request using the interception tool.
Step 6: Modify the HTTP request by replacing the ticket archive ID with the ID noted in step 4.
Step 7: Forward the modified request. If successful, you will download the exported ticket archive, thus exploiting the vulnerability.
Code Snippet for the Vulnerable Function
The following code snippet illustrates the vulnerable functionality within the Awesome Support plugin:
function download_exported_tickets() {
global $current_user;
if (!isset($_GET['download_exported_tickets'])) {
return;
}
if (!check_admin_referer('download_exported_tickets_nonce')) {
return;
}
$exported_tickets_id = absint($_GET['tickets_id']);
// Here, user authorization is not properly validated.
$file_path = wpas_get_option("ticket_exporter_store_path") . "/exported_tickets_$exported_tickets_id.zip";
header("Content-Type: application/zip");
header("Content-Disposition: attachment; filename=exported_tickets_$exported_tickets_id.zip");
header("Content-Length: " . filesize($file_path));
readfile($file_path);
exit;
}
add_action('admin_init', 'download_exported_tickets');
As shown, there is no proper validation to ensure that the requester is the rightful owner of the exported tickets archive being downloaded.
For further information, consult these original references
- CVE-2022-3511 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3511
- Awesome Support WordPress Plugin - https://wordpress.org/plugins/awesome-support/
- WPScan Vulnerability Database - https://wpscan.com/vulnerability/d9596017-667a-4962-a34c-e6e1099a8127
- Burp Suite: https://portswigger.net/burp
Conclusion
CVE-2022-3511 is a significant vulnerability in the Awesome Support WordPress plugin, which allows low privileged users to gain unauthorized access to exported ticket archives. Taking appropriate measures ensures that your WordPress installation stays secure from potential exploits. It is essential to keep your plugins updated and follow best practices to minimize such security risks in the future.
Timeline
Published on: 11/28/2022 14:15:00 UTC
Last modified on: 11/30/2022 03:42:00 UTC