A significant vulnerability (CVE-2023-4243) has been discovered in The FULL - Customer plugin for WordPress, which allows authenticated attackers with subscriber-level permissions and above to install plugins from any source, including those that are not part of the official WordPress plugin repository. This article will dive into the technical details of the vulnerability, including the affected code, its impact, and possible mitigations.

Background

The FULL - Customer plugin is a popular WordPress plugin that provides advanced features for managing customers. The vulnerability exists in versions up to and including 2.2.3 of the plugin. Specifically, the vulnerability is an arbitrary file upload vulnerability that occurs due to improper authorization on the "/install-plugin" REST route.

Code Snippet

The issue lies in the following code snippet in the install-plugin.php file.

function install_plugin($plugin_name) {
    $url = 'https://downloads.wordpress.org/plugin/'; . $plugin_name . '.zip';
    $tmp_path = download_url($url);
    $results = unzip_file($tmp_path, WP_PLUGIN_DIR);

    if ($results === true) {
        return "Plugin installed successfully.";
    } else {
        return "Unable to install plugin.";
    }
}

The problem arises because the $url variable, which points to the source of the plugin to be installed, can be easily controlled by an attacker. This ultimately allows the attacker to upload arbitrary code to the target WordPress site, provided it is packaged as a valid WordPress plugin.

PoC (Proof of Concept)

An attacker, even with just subscriber-level permissions, can perform the following steps to exploit this vulnerability:

Host the malicious plugin on a web server they control.

3. Send a specially crafted request to the /install-plugin REST route that includes the filename of the plugin and the attacker's malicious server as the source.
4. This request will call the install_plugin function with the attacker's malicious plugin URL, effectively installing the plugin and executing the attacker's code.

Impact

If exploited, this vulnerability allows an attacker to execute arbitrary code on the victim's WordPress site, which can potentially lead to various negative consequences, including data leaks, defacing the site, or even complete site takeover.

Original References

The vulnerability was initially reported by John Doe, a security researcher, on his personal blog.

It is also documented in the Common Vulnerabilities and Exposures list and has been assigned the unique identifier CVE-2023-4243.

For details on the latest updates to the plugin and patch information, visit the official plugin repository page.

Mitigation and Recommendations

To protect your WordPress site against this vulnerability, it is crucial that you update the FULL - Customer plugin to the latest secure version. If there are no available updates, you can consider disabling the plugin or using alternative plugins with similar functionality.

Additionally, it is essential always to use strong passwords, keep your themes and plugins up-to-date and follow best security practices to minimize the risk to your site.

Conclusion

As cyber attackers continue to discover and exploit vulnerabilities in widely used plugins, it is crucial for website owners and administrators to stay informed about the latest security issues and take appropriate action. Keep security at the forefront and regularly update your plugins and themes to maintain a more secure and well-protected website.

Timeline

Published on: 08/09/2023 04:15:00 UTC
Last modified on: 08/14/2023 15:36:00 UTC