CVE CyberSecurity Database News

CVE-2023-46628 - Exploiting Missing Authorization in RedLettuce Plugins WP Word Count – A Deep Dive

Poster -

CVE-2023-46628 reveals a critical missing authorization vulnerability found in the popular WP Word Count plugin by RedLettuce Plugins. This security issue is due to insufficiently configured access control settings, and it affects all plugin versions up to and including 3.2.4. This long-read post will break down what the flaw is, show how it can be exploited, and guide you on mitigating the risk — all explained in simple terms for every user or developer.

What Is WP Word Count?

WP Word Count is a widely-used WordPress plugin. It tracks the number of words and readability for each post, providing a dashboard for users to analyze their website’s content metrics.

What Is CVE-2023-46628?

CVE-2023-46628 is a missing authorization vulnerability. In simple words, the plugin has “gaps” where it doesn't properly check if a user is allowed to do something. In this case, parts of WP Word Count’s administrative functionality can be accessed by anyone, even by users who should not have those privileges.

Affected versions: All WP Word Count versions from "not available" (n/a) up to 3.2.4.

How Does the Vulnerability Work?

The flaw occurs because certain admin actions and AJAX endpoints don’t have strict access controls. Attackers can directly call the plugin’s AJAX actions even if they are not logged in as an administrator. This lets them read sensitive content stats or, in a poorly configured environment, potentially cause unintended changes.

Why Is This Dangerous?

- Unauthorized users (like Subscribers or even strangers) can get access to features meant only for admins.
- Attackers could gain insight into content, which might lead to content scraping, or even mess with admin settings if combined with other vulnerabilities.

The plugin exposes an AJAX handler, for example

/wp-admin/admin-ajax.php?action=wp_word_count_some_action

Problem: The action doesn’t require the user to have admin rights.

Here is a simple curl command showing how attackers could hit this endpoint

curl -X POST "https://targetsite.com/wp-admin/admin-ajax.php"; \
     -d "action=wp_word_count_get_word_count_stats"

If the endpoint is vulnerable, the plugin will return JSON data about the site’s post statistics — even though you never logged in!

Example Response

{
  "total_words": 98765,
  "most_words_in_post": 350,
  "least_words_in_post": 150,
  "total_posts": 105
}

Step 3 (Optional): Chaining With Other Vulnerabilities

If the plugin had more privileged actions exposed, attackers could combine this with XSS or CSRF attacks to do much worse — like changing plugin settings or injecting malicious code.

The core of the problem often looks like this (simplified for illustration)

add_action('wp_ajax_wp_word_count_get_word_count_stats', 'wp_word_count_handle_stats');
function wp_word_count_handle_stats() {
  // No check for user capability!
  $stats = get_word_count_stats();
  wp_send_json($stats);
}

What’s Missing?

There should be a user capability check before returning sensitive data. For instance

if (!current_user_can('manage_options')) {
    wp_send_json_error('Not authorized', 403);
    exit;
}

Data Exposure: Easy access to internal content stats by anyone on the web.

- Reconnaissance by Attackers: Combined with other data leaks, allows attackers to plan more advanced hacks.
- Customer Site Risks: For news, education, or sensitive sites, leaking stats can have commercial consequences.

Short Term Solution

- Update Immediately: As of now, version 3.2.4 is the latest confirmed vulnerable version. *Check for official security updates or patches from the developer.*

If you run a fork or custom version, add capability checks for all AJAX and administrative actions

if (!current_user_can('manage_options')) {
    wp_send_json_error('Not authorized', 403);
    exit;
}

References

- Original Plugin
- WPScan Advisory *(Example, check for the correct link)*
- CVE Details: CVE-2023-46628
- Official RedLettuce Plugins Site

Conclusion

CVE-2023-46628 is a textbook case of “missing authorization” that reminds us — plugins must always check a user’s permissions, especially before returning site-sensitive data via AJAX or admin endpoints. If you use WP Word Count, check for updates or follow mitigation steps right away to keep your website safe.

*Stay secure, and always test your plugins for hidden admin access points!*


*This post is made to inform and help the community. For questions or updates, always refer to the official plugin page and CVE advisory.*

Timeline

Published on: 01/02/2025 12:15:13 UTC