CVE-2023-44472 - How a Missing Authorization Bug Opened Thousands of WordPress Sites to Hackers (Unyson <= 2.7.28)

WordPress is the go-to platform for millions of websites, and it thrives on plugins and themes that add cool new features. But what happens when one of those plugins has a dangerous bug? Let's talk about CVE-2023-44472, a missing authorization flaw in the popular Unyson plugin (from all versions through 2.7.28) by ThemeFuse—one that let attackers take over WordPress sites.

This post breaks down what went wrong, how attackers can take advantage of it, and how you can protect yourself. No jargon, just clear info.

🔥 What is Unyson?

Unyson is a free drag-and-drop framework for WordPress themes. It’s very popular because it lets non-coders build pages, sliders, backup sites, and more with ease.

🐞 The Vulnerability in a Nutshell

CVE-2023-44472 is a missing authorization vulnerability. In simple terms, it occurs when a plugin fails to check whether someone is *allowed* to do something before letting them do it.

In Unyson's case, certain admin functions (like backups, importing, and even executing tasks) could be reached directly without checking if the visitor was logged-in or an admin—meaning anyone who figured out the special URLs (AJAX endpoints) could run dangerous tasks.

Affected Versions:
Unyson ALL versions up to and including 2.7.28.

No Login, No Problem:

Some functions registered with WordPress AJAX actions (like wp_ajax_nopriv_) could be accessed by NON-logged in users because there was no capability or user check.

Malicious Requests:

Attackers could send crafted POST or GET requests to trigger backup, restore, import demo content, or even upload malicious files.

Suppose in /framework/extensions/backup/includes/ajax.php you see code like

add_action( 'wp_ajax_nopriv_fw_backup_download', 'fw_backup_download' );

function fw_backup_download() {
    // NO user check here!
    $backup_file = $_POST['backup_file'];
    // Code to send file to user
}

Notice: wp_ajax_nopriv_ allows unauthenticated use.
There’s NO check to see if the user is an admin.

Real Exploit: Download Backup Files with User Data

An attacker can POST to the vulnerable endpoint to download a backup file containing everything—including database credentials and WordPress user data.

Example Request

POST /wp-admin/admin-ajax.php?action=fw_backup_download HTTP/1.1
Host: victim.example.com
Content-Type: application/x-www-form-urlencoded

backup_file=../private_website_backup.zip

After the request, the attacker gets the website’s private backup!
Depending on the function, some endpoints allow uploading arbitrary files or triggering other dangerous actions.

🔗 References

- Wordfence Advisory
- Patchstack Disclosure
- Official Unyson GitHub
- CVE Details for CVE-2023-44472

Update Unyson Immediately:

Upgrade to the latest Unyson version (download here). If it’s not maintained, consider removing it.

Check for Backdoors:

If your site had this version, scan for extra admins, unknown PHP files, or tweaked files—they may have been added by hackers.

Monitor for Suspicious Activity:

Use a security plugin like Wordfence or Sucuri.

💡 Conclusion

CVE-2023-44472 is a reminder: plugins can open doors to attackers if authorization is not checked everywhere!
If you use Unyson up to 2.7.28, patch now—or risk losing your site to hackers.

Stay safe, and keep those plugins updated! 🚀

Questions?
Drop them below or reach out on GitHub Issues!

Timeline

Published on: 05/03/2024 08:15:06 UTC
Last modified on: 06/17/2024 20:47:44 UTC