CVE-2023-47764 - Exploiting Missing Authorization and Broken Access Control in Metaphor Creations Ditty (<= 3.1.24)

In late 2023, security researchers discovered a Missing Authorization vulnerability—tracked as CVE-2023-47764—in the popular WordPress plugin, Ditty by Metaphor Creations. This plugin is used for displaying custom content and news tickers on WordPress websites and is installed on over 40,000 sites worldwide. The vulnerability can allow attackers to exploit incorrectly configured access control levels and perform actions they should not be authorized to do, like modifying, deleting, or exporting data in the plugin.

This exclusive post will break down what CVE-2023-47764 is, how it works, who is affected, and even provide a basic example of exploitation. If you run Ditty (any version up to and including 3.1.24), you need to keep reading!

What Makes CVE-2023-47764 a Big Deal?

The main issue here is missing authorization in the Ditty plugin's code. The plugin fails to properly check if a user is allowed to perform certain actions, which means anyone—even users with very limited permissions, like a "subscriber"—can potentially do things intended only for admins.

Specifically, the vulnerability allows a malicious user to exploit incomplete access control. This kind of bug is particularly risky in a plugin as popular as Ditty, opening up a big attack surface across thousands of websites.

Who Is Affected?

If your website uses Ditty any version from the start through 3.1.24 (exact earlier versions aren't specifically listed), you are vulnerable. This vulnerability was patched after version 3.1.24, so updating your plugin is critical.

Technical Details

At the heart of the bug is insufficient authorization checks in AJAX actions exposed by the plugin. AJAX endpoints in WordPress usually need to be registered with permission checks—Ditty missed this on several endpoints.

For example, a typical AJAX handler in a well-coded plugin might look like

add_action( 'wp_ajax_ditty_export_data', 'ditty_export_data_callback' );
function ditty_export_data_callback() {
    // Check if current user can manage options!
    if ( ! current_user_can( 'manage_options' ) ) {
        wp_send_json_error( array( 'message' => 'Unauthorized' ), 403 );
        exit;
    }
    // Export logic here...
}

But in affected Ditty versions, these checks were missing or too weak; attackers could call certain endpoints directly even if not logged in or only logged in as a low-privilege user.

How Attackers Can Exploit CVE-2023-47764

Let’s say the plugin allows users to export ticker data via AJAX. If there’s no permission check, an attacker could simply send a specially crafted POST request to the site’s WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the appropriate action set—in this case, ditty_export_data.

Here’s a sample cURL command an attacker might use after registering as a low-privilege user

curl -X POST https://example.com/wp-admin/admin-ajax.php \
  -d 'action=ditty_export_data&id=1'

Depending on what the endpoint allows, the attacker could

- Export all your custom ticker/data content

Potentially craft additional attacks using leaked data

Because Ditty failed to do a capability check (current_user_can()), anyone can hit these endpoints.

Reference Links

- NVD: CVE-2023-47764
- Packet Storm Writeup
- Ditty Plugin Page

If you use Ditty

- Update immediately to the latest Ditty version (fixing this issue) from your WordPress dashboard or plugin page.
- Consider reviewing other installed plugins for similar issues: are all your plugins and themes up-to-date?
- Audit your site for new or unusual users or export/download events, as these could indicate past abuse.

Find "Ditty". If it’s version 3.1.24 or lower, you’re vulnerable.

3. To test, you can attempt a non-destructive action: log in as a low-privilege user and attempt an AJAX call for ditty_export_data as described above. If you receive data you shouldn’t, you’re vulnerable.

exit;

}

Conclusion

CVE-2023-47764 is another clear warning that access control is critical in web application code, especially in WordPress plugins with a broad install base. Even popular, well-maintained plugins like Ditty can have these flaws if endpoints aren’t properly secured. Patch early, audit often, and always check your own code for authorization at every entry point!

Have you updated your Ditty plugin? Now’s the time!

*If you have more questions or want to see more vulnerable code breakdowns, leave a comment below!*

Timeline

Published on: 12/09/2024 13:15:30 UTC