CVE CyberSecurity Database News

CVE-2023-25455 - How a Missing Authorization Bug in miniOrange WordPress Social Login and Register Lets Attackers Exploit Your Site

Poster -

If you’re using WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) by miniOrange, your website could be exposed to hackers. The vulnerability, known as CVE-2023-25455, lets bad actors take advantage of weak access control. This means unauthorized people can perform actions on your site that should be reserved for only trusted users or admins.

Let’s break down what this vulnerability is, how exploit works, and what you should do to protect your website.

What is CVE-2023-25455?

CVE-2023-25455 is a Missing Authorization vulnerability discovered in the miniOrange Social Login and Register plugin for WordPress. The security flaw exists in versions up to and including 7.6. due to Incorrectly Configured Access Control Security Levels. In simple terms, certain sensitive plugin actions didn’t properly check if the user is actually allowed to do them.

Affected Product:
WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) by miniOrange
Versions Impacted: There is no public record of affected versions before 7.6., so if you’re on any version up to and including 7.6., consider yourself at risk.

How Does the Exploit Work?

Simply put, some actions in the miniOrange plugin backend can be done by *anyone*, not just logged-in or authorized users. If a bad actor figures out the right URL or AJAX request, they can:

Potentially add their own authentication details

This happens because the plugin doesn’t check the user's permission in some critical functions.

Here’s what the vulnerable code in ajax_process.php could look like

// BAD: No authentication or capability check!
if ($_POST['action'] == 'update_social_login_settings') {
    $new_settings = $_POST['settings'];
    update_option('mo_social_login_settings', $new_settings);
    echo "Settings updated!";
    exit;
}

What’s missing here?

There should be a check like this

// GOOD: Only allow admins to update settings
if (!current_user_can('manage_options')) {
    wp_die('Unauthorized!');
}

Without this check, any attacker who knows this code is there can send a simple POST request to your AJAX handler and change important settings.

Find the Vulnerable AJAX Endpoint:

- Tools like Burp Suite, OWASP ZAP, or just the browser’s Dev Tools can help an attacker spot AJAX URLs like /wp-admin/admin-ajax.php.

`http

POST /wp-admin/admin-ajax.php ACTION=update_social_login_settings&settings={"some":"evil"}

`bash

curl -d "action=update_social_login_settings&settings={\"enable\":\"1\"}" https://targetsite.com/wp-admin/admin-ajax.php

Take Over Plugin Config:

- Now the attacker might enable or reconfigure social providers, possibly redirecting new logins or using their own OAuth keys.

Further Exploitation:

- With control over social login, attackers can hijack the login process or even slip in their own admin users if the plugin supports auto account creation.

References and More Information

- NVD - CVE-2023-25455: National Vulnerability Database
- Wordfence Security Advisory
- miniOrange Social Login Plugin on WordPress.org
- WPScan Advisory

Review User Accounts:

Check for unfamiliar admin or user accounts created around times when your site may have been exposed.

Conclusion

CVE-2023-25455 shows how vital it is for plugin developers to check permissions before taking any action—and for site owners to keep plugins updated. If you use WordPress Social Login and Register by miniOrange, make sure you’re patched up and watch out for strange new users or plugin settings.

Take a few minutes today and make sure your site (and your users) are safe. Don’t give attackers the key to your front door!

Timeline

Published on: 12/09/2024 13:15:23 UTC