CVE-2023-47776 - Exploiting Missing Authorization in miniOrange OTP Verification (<=4.2.1)

A new security vulnerability—CVE-2023-47776—has been found in the miniOrange OTP Verification plugin for WordPress, affecting versions up to 4.2.1. This is a Missing Authorization issue, meaning that the plugin fails to check whether a user is allowed to perform certain functions. The problem can lead to Exploiting Incorrectly Configured Access Control Security Levels and potentially let unauthorized users perform restricted actions.

In this post, we will break down how the vulnerability works, show sample code snippets, demonstrate how it can be exploited, and link to original references for further reading. My explanation uses clear, simple English to help anyone understand this flaw and its dangers.

What is miniOrange OTP Verification?

miniOrange OTP Verification is a popular WordPress plugin that provides one-time password (OTP) functionality for user verification. It can add OTP features for registration, login, and transactions, aiming to boost site security.

Versions Affected: All up to and including 4.2.1

- Vulnerability Type: Missing Authorization / Improper Access Control

The vulnerability happens because certain AJAX actions and endpoints in the plugin do not check if the requesting user is authorized. That means almost anyone, even unauthenticated visitors, could trigger sensitive actions by crafting HTTP requests.

How Does the Vulnerability Work?

The plugin registers several AJAX actions—endpoints that process requests sent from the website to the server through JavaScript (AJAX). Normally, these endpoints should only process the request if the user has the right permissions.

In versions up to 4.2.1, some of these endpoints were missing proper current_user_can() or similar capability checks. That made it possible for attackers to simply call functions intended for admins or authenticated users.

You might see something like this in the plugin’s code (simplified for clarity)

add_action('wp_ajax_miniorange_verify_otp', 'miniorange_verify_otp_callback');

function miniorange_verify_otp_callback() {
    // ... No authorization check here ...
    $user_id = $_POST['user_id'];
    $otp = $_POST['otp'];

    // Verification logic here
    if (verify_otp($user_id, $otp)) {
        // Grant access, perform action...
    }
    // ...
}

Notice: No check to confirm if the caller is the right user, or even logged in!

1. Identify an Exposed AJAX Action

The plugin registers a vulnerable AJAX endpoint, such as /wp-admin/admin-ajax.php?action=miniorange_verify_otp.

Anyone (including unauthenticated users in some cases) crafts a POST request like

curl -X POST \
  -d "action=miniorange_verify_otp" \
  -d "user_id=2" \
  -d "otp=123456" \
  https://target-site.com/wp-admin/admin-ajax.php

3. Unauthorized Success

Because there is no proper authorization check, the endpoint processes the request. If the attacker knows or guesses the OTP, they can verify actions as another user or potentially trigger flows that should be protected.

Real-World Impact

If your website uses miniOrange OTP Verification up to version 4.2.1 and you have not updated, anyone can attack these endpoints and potentially undermine your security. If you rely on OTP for admin login, more damage is possible.

Update the Plugin Immediately!

miniOrange addressed this vulnerability in newer versions. You should always keep plugins updated to the latest version.

What Developers Should Do

When writing AJAX handlers or API endpoints, always check

if (!current_user_can('manage_options')) {
    wp_send_json_error('Unauthorized', 403);
    exit;
}
// Safe to process sensitive data here.

References

- Original Wordfence Advisory
- NVD Entry
- miniOrange OTP Verification Plugin on WP.org
- WordPress Plugin Developer Handbook

Conclusion

CVE-2023-47776 is a classic example of why authorization checks are vital in plugin and web development. If you use the miniOrange OTP Verification plugin, update it right away and keep your site secure. Always remember: Never trust user input and always verify right permissions before letting users perform sensitive actions!

If you want a more technical breakdown or a proof of concept, check the resources above and stay safe!

Timeline

Published on: 12/09/2024 13:15:30 UTC