CVE-2023-47523 - How a Missing Authorization Bug in Ecreate Infotech’s Auto Tag Creator Lets Attackers Bypass Security Control

In late 2023, a significant security flaw was found in Ecreate Infotech’s Auto Tag Creator, a WordPress plugin widely used to automate the process of adding tags to posts. If you’re using version 1..2 or earlier, you should pay close attention. This post explains what the CVE-2023-47523 vulnerability is, how it can be exploited, and what you can do to stay protected.

What Is CVE-2023-47523?

CVE-2023-47523 is a Missing Authorization or “broken access control” vulnerability that affects the Auto Tag Creator plugin from its unknown initial release up through version 1..2. This bug happens because the plugin does not properly check if a user is authorized to perform certain sensitive actions. Because of this, attackers—no matter if they’re logged in or not—could perform actions that are supposed to be restricted to admins or editors.

How the Bug Works

In WordPress plugins, developers sometimes forget to check if the current user has enough permissions before allowing them to call certain functions—especially those that change data. In Auto Tag Creator, certain functions were left open to the public, without a proper current_user_can() or check_admin_referer() verification.

Vulnerable Code Example

Below is a simplified, real-world example of what the vulnerable code might look like inside the plugin:

// INSECURE CODE - For Illustration Only!
add_action('wp_ajax_auto_tag_add', 'atc_add_tag_function');

function atc_add_tag_function() {
    // NO authorization check!
    $tag = sanitize_text_field($_POST['tag']);
    wp_insert_term($tag, 'post_tag');
    echo 'Tag created';
    wp_die();
}

What’s missing?

There’s NO *check* to make sure the request comes from a logged-in admin or editor. Anyone who can craft a POST request to admin-ajax.php with action=auto_tag_add can create arbitrary tags.

Exploit Details

An attacker can simply use a tool like cURL, Burp Suite, or even browser JavaScript, to send an unauthorized POST request to the site:

curl -X POST -d 'action=auto_tag_add&tag=malicious-tag' https://victim-site.com/wp-admin/admin-ajax.php

With this, the attacker can create unlimited tags, potentially flooding your site or even exploiting further weaknesses if the plugin’s tagging is tied with other features (like auto-publishing or categorization).

Data Pollution: Attackers can stuff your tag database with junk or malicious tags.

- Privilege Escalation: In extreme cases, if tags trigger certain automations or if tag names are processed unsafely elsewhere, attackers could compromise other data.
- SEO Damage: Flooding a WordPress site with bad tags can harm your SEO, create spammy appearances, and even trigger blacklisting.

Update the Plugin:

The best fix is to upgrade to the latest version (if and when a patch is released). The developer should add a capability check, for example:

wp_die();

}

Monitor Logs for unknown or mass tag creation requests.

4. Restrict Access by locking down /wp-admin/admin-ajax.php to logged-in users from your country/IP if possible.

References

- NVD Entry for CVE-2023-47523
- WPScan Advisory Database
- Plugin Homepage

Conclusion

CVE-2023-47523 is a perfect example of why authorization checks are essential in web plugins. If you use Auto Tag Creator, act now to update or remove the plugin to avoid being caught by opportunistic attackers. Monitor your WordPress site for any suspicious tag activity, and encourage plugin developers to follow WordPress best practices for user capability checks.

Stay safe—don’t let simple mistakes open the door to big security problems!

Timeline

Published on: 01/02/2025 12:15:15 UTC