WordPress is the backbone of over 40% of the web, powering millions of blogs, shops, and business pages. But with its popularity comes a gold mine for attackers looking for weak spots in its plugins. One recent critical vulnerability, CVE-2023-46644, lurks in the “WP CTA PRO WordPress CTA” plugin. This issue allows bad actors to abuse misconfigured access controls, gaining abilities they're never supposed to have. In this article, we’ll break down how this works, show a sample exploit, and offer advice on staying safe.
What is CVE-2023-46644?
- Type of bug: Missing/Incorrect Authorization (“Broken Access Control”)
Affected Software: WP CTA PRO WordPress CTA
- Affected Versions: All from “n/a through 1.5.8” (the vulnerability persisted through version 1.5.8)
Where to Read More
- WPScan Entry (wpvulndb.com)
- NVD CVE-2023-46644
- Plugin homepage
The Problem: Flawed Access Control
Missing authorization means the plugin trusts anyone who calls certain functions, never checking if they're actually allowed. In WP CTA PRO, several admin-level tasks (like editing or deleting CTAs) are accessible to anyone—even non-logged-in users—because the plugin forgets to require proper user permissions.
Example: The Faulty Function
The file responsible is usually something like includes/ajax.php or similar, which handles AJAX requests. Here’s a simplified look at what happens:
// Pseudo-code representation
add_action('wp_ajax_save_cta', 'save_cta_callback');
function save_cta_callback() {
// MISSING: current_user_can('manage_options') or a nonce check
$title = $_POST['title'];
$content = $_POST['content'];
$post_id = wp_insert_post([
'post_title' => $title,
'post_content' => $content,
'post_type' => 'cta',
'post_status' => 'publish'
]);
echo json_encode(['success' => true, 'id' => $post_id]);
wp_die();
}
In the above snippet, there’s no check to see whether the requester is logged in, let alone allowed to create CTAs (calls-to-action). This means *anyone* can POST here and the plugin will happily do the work.
Attacker issues a POST request to the vulnerable AJAX URL
- /wp-admin/admin-ajax.php?action=save_cta
Suppose you want to create a malicious CTA
curl -X POST 'https://victimsite.com/wp-admin/admin-ajax.php'; \
-d 'action=save_cta' \
-d 'title=Click Me!' \
-d 'content=<script>alert("hacked!")</script>'
The attacker can now flood your site with unwanted CTAs, inject malicious scripts (potential XSS), or even perform more advanced attacks if the CTA hook is used elsewhere on the site.
Defacement: Publicly viewable CTAs filled with spam, ads, or phishing links.
- XSS (Cross-Site Scripting): If attacker controls CTA content and site doesn't sanitize output, it leads to further exploits.
function save_cta_callback() {
// Only admins or editors can add CTAs
}
// Existing code...
}
`
3. Block access to AJAX endpoints for unauthenticated users if you don’t use this functionality publicly.
Exploit is basic: Just send a POST request, no special tricks needed.
- Fixes: Update plugin; if not possible, manually add user/nonce checks to PHP.
Stay up to date: Always check your plugins for security advisories, and never use old versions of plugins, especially those that interact with visitors!
References
- WPScan - CVE-2023-46644
- NVD Details
- WordPress Plugin Directory: WP CTA PRO
Got questions about this vulnerability or need a hand protecting your WordPress site? Leave a comment!
Timeline
Published on: 01/02/2025 12:15:14 UTC