CVE CyberSecurity Database News

CVE-2023-45101 - Exploiting “Missing Authorization” in Customer Reviews for WooCommerce (CusRev Plugin) – How Attackers Can Access and Modify Your Store Without Permission

Poster -

CVE-2023-45101 is a critical security flaw discovered in the popular CusRev "Customer Reviews for WooCommerce" WordPress plugin. This bug, affecting all versions up to and including 5.36., enables unauthorized users to perform sensitive actions due to missing authorization checks. In plain words, attackers can sneak past security barriers and mess with settings or steal information they shouldn’t have access to.

If you own an e-commerce shop powered by WooCommerce and rely on CusRev to show customer reviews, this vulnerability puts your site, your customers' data, and your store’s reputation at risk.

Let’s break down how this bug works, how you can test it, and how to secure your site.

Overview: What Is CVE-2023-45101?

- Vulnerability Type: Missing Authorization / Improper Access Control

Exploit Level: Unauthenticated (anyone on the internet can exploit)

- CVE Reference: CVE-2023-45101 (NVD)

What is “Missing Authorization”?

Normally, certain actions (like changing plugin settings or managing reviews) should only be allowed by authorized users—usually, site admins. With CVE-2023-45101, some CusRev plugin features failed to check if the person trying to use them was actually allowed to, giving anyone a backdoor.

Vulnerable Code Path

At the heart of the problem, the CusRev plugin exposes AJAX endpoints (special URLs where JavaScript on your shop’s dashboards talks to the server) for its front-end features. But the code didn’t check if the request was coming from a real admin or just any visitor.

A snippet of vulnerable PHP code might look like this

add_action('wp_ajax_cusrev_update_settings', 'cusrev_update_settings');
add_action('wp_ajax_nopriv_cusrev_update_settings', 'cusrev_update_settings');

function cusrev_update_settings() {
    // Missing checks like current_user_can('manage_options')
    $option = sanitize_text_field($_POST['option']);
    $value = sanitize_text_field($_POST['value']);
    update_option($option, $value);

    wp_send_json_success();
}

See the problem? The function lacks an authorization check. Anyone can POST data to the endpoint and change plugin options.

1. Find the AJAX Endpoint

WordPress AJAX endpoints for plugins live at /wp-admin/admin-ajax.php. The plugin registers functions like cusrev_update_settings for both logged in and non-logged-in users (nopriv).

2. Forge an Exploit Request

Any attacker can send an HTTP POST request with their own data and hijack plugin settings.

Here’s a simple example using curl to update the plugin’s options

curl -X POST https://yourshop.com/wp-admin/admin-ajax.php \
  -d 'action=cusrev_update_settings' \
  -d 'option=cusrev_api_key' \
  -d 'value=attacker_value'

This sets the API Key the plugin uses to communicate with external services—an attacker might redirect reviews, steal customer emails, or disable reviews entirely!

3. No Authentication Needed

The mistake here: there is no user authentication required—no current_user_can(...) or nonce checking.

What Can Go Wrong?

- Stealing Customer Data: If options allow it, attackers can forward review data or capture customer emails.

Changing Settings: Disable reviews, or redirect all new reviews elsewhere.

- Disruption: Attackers can reset API keys, causing service outages or flood sites with fake reviews.

1. Update the CusRev Plugin Immediately

Check your current plugin version. Update via WordPress plugins dashboard or download the latest here. Versions after 5.36. have fixed the vulnerability by adding strict authorization checks.

2. Audit Plugin Settings & User Access

After updating, double-check all settings and look out for suspicious changes.

3. Look For Signs of Exploitation

Check access logs for suspicious POST requests to /wp-admin/admin-ajax.php with the action cusrev_update_settings. Look for settings that have changed suddenly without legitimate admin action.

Example log entry

POST /wp-admin/admin-ajax.php?action=cusrev_update_settings HTTP/1.1

References & Further Reading

- CVE Advisory: CVE-2023-45101
- CusRev – WordPress.org
- Sucuri Blog: Understanding WordPress Authorization Flaws
- OWASP: Broken Access Control

Conclusion

CVE-2023-45101 shows how a single missing authorization check in a popular WooCommerce plugin can open the door to attackers—no hacking skills required. All site owners using CusRev “Customer Reviews for WooCommerce” through version 5.36. should patch immediately and review their settings and logs.

Security is everyone’s responsibility. Share this post with your fellow WordPress and WooCommerce shop owners, and keep your plugins up to date!


*Stay safe, keep your customers’ trust, and happy selling!*

Timeline

Published on: 01/02/2025 12:15:08 UTC