In late 2023, security researchers uncovered a critical Missing Authorization vulnerability in Convertful – Your Ultimate On-Site Conversion Tool WordPress plugin from Ruslan Suhar. Cataloged as CVE-2023-46605, this vulnerability lets attackers exploit incorrectly configured access control levels, granting unauthorized access to sensitive plugin functions. Affecting all versions up to and including 2.5, this flaw can allow bad actors to manipulate campaigns, steal leads, and compromise site integrity.
Below, we'll break down how CVE-2023-46605 works, show a simple exploit demonstration, and provide references for patching and deeper reading.
What is Convertful?
Convertful is a popular WordPress plugin that helps website owners collect emails, promote products, and convert visitors with on-site widgets like popups, slide-ins, and more. Its tight integration with third-party marketing tools makes it a favored plugin among marketers.
What Went Wrong?
The plugin exposes several AJAX actions that handle plugin features for logged-in users. In a misstep, security checks (nonces or user capabilities) are missing or weakly implemented for some endpoints. This means an attacker who is not authenticated can send HTTP POST or GET requests to these endpoints and execute actions that should be restricted to administrators or site editors.
Example Endpoint
Typically, WordPress AJAX calls go through /wp-admin/admin-ajax.php and require an action parameter like this:
POST /wp-admin/admin-ajax.php?action=convertful_some_action
Example (simplified)
add_action('wp_ajax_convertful_do_something', 'convertful_do_something_callback');
add_action('wp_ajax_nopriv_convertful_do_something', 'convertful_do_something_callback');
function convertful_do_something_callback() {
// [MISSING] Capability or nonce checks
update_option('convertful_options', $_POST['data']);
wp_send_json_success();
}
> What's wrong here?
> There is no check for user capability (current_user_can('manage_options')) or a valid nonce! Anyone (even not logged in) can make this call and change site options.
Exploit PoC: (using curl)
curl -X POST \
-d 'action=convertful_do_something&data={"lead_email":"attacker@example.com"}' \
https://victim-site.com/wp-admin/admin-ajax.php
What happens?
This request, sent by a non-authenticated user, might trigger sensitive lead export, overwrite campaign settings, or do other admin-only tasks.
Update Immediately:
Download the latest version of Convertful from the WordPress plugin repository. Updates released after v2.5 reportedly patch this issue.
Audit Custom Plugins:
If you have custom actions in your own plugins, always use current_user_can() to restrict user roles, and verify check_admin_referer() or use nonces to stop CSRF.
Sample Secure Callback
function convertful_do_something_callback() {
if (!current_user_can('manage_options') || !check_ajax_referer('convertful_nonce', false, false)) {
wp_send_json_error('Not allowed!', 403);
}
update_option('convertful_options', $_POST['data']);
wp_send_json_success();
}
References
- NVD Entry for CVE-2023-46605
- Wordfence Advisory for Convertful Vulnerability
- Plugin Homepage: Convertful
- Official Fixes & Updates
Conclusion
CVE-2023-46605 is a powerful reminder that missing simple authorization checks in plugins can have site-wide consequences. If you use Convertful – Your Ultimate On-Site Conversion Tool, update immediately. Always practice secure coding: authenticate, authorize, and verify every action, especially when handling AJAX or REST API endpoints.
Timeline
Published on: 01/02/2025 12:15:11 UTC