WordPress plugins make website management easy, but sometimes they also leave worrying holes hackers can exploit. CVE-2023-49154 is a Missing Authorization vulnerability in the popular Button Generator – easily Button Builder plugin from Wow-Company. This flaw lets attackers bypass security controls and take actions only admins should be able to do.
Let’s dive into what this CVE means, who’s affected, how to exploit it, and how you can protect your site.
What is CVE-2023-49154?
This vulnerability lives in the Button Generator – easily Button Builder plugin — a tool to build good-looking buttons for WordPress without coding. Sadly, versions *up to and including 2.3.8* have a wrongly configured access control mechanism, or, simply put, missing checks to see if the user is actually allowed to do sensitive things.
Official Reference
- NVD (National Vulnerability Database) Listing for CVE-2023-49154
- Wordfence Advisory – Button Generator
How Does the Vulnerability Work?
Most WordPress plugins use nonces and/or capability checks (like current_user_can('manage_options')) to check a user’s access level before allowing certain actions, especially those that change data or settings.
Button Generator – easily Button Builder failed here. The code handling its AJAX (background JavaScript) requests or form submissions does *not* check if the user is an admin, or even logged in. This means anyone can send crafted HTTP requests and perform actions like adding, editing, or deleting buttons.
Exploit Example: Adding a Button (Demo)
Let’s see how an attacker can use the flaw. Here's a basic proof-of-concept using curl (a command-line tool for making HTTP requests):
curl -X POST "https://victimwebsite.com/wp-admin/admin-ajax.php"; \
-d "action=wcbgb_add_button" \
-d "button_name=MaliciousButton" \
-d "button_code=<script>alert('hacked');</script>"
No authentication or authorization is checked.
- Attacker can inject any name/code they wish.
If this is submitted, a new button named “MaliciousButton” appears — containing an alert or, worse, a malicious JavaScript.
Vulnerable Code Snippet (Simplified)
To understand how this happened, here’s a simplified version of the vulnerable code. It does not check the user's capabilities:
add_action('wp_ajax_wcbgb_add_button', 'wcbgb_add_button_callback');
// No check like: if (!current_user_can('manage_options')) { die(); }
function wcbgb_add_button_callback() {
$name = $_POST['button_name'];
$code = $_POST['button_code'];
// Save to DB with minimal sanitization...
// No authentication!
}
A secure version should do
function wcbgb_add_button_callback() {
if (!current_user_can('manage_options')) {
wp_die('Unauthorized');
}
// Proceed with action...
}
Who’s at Risk?
Any site using Wow-Company Button Generator – easily Button Builder version 2.3.8 or below is open to this kind of attack.
What Should You Do?
1. Update the Plugin:
Check your version in the WP admin dashboard (Plugins > Installed Plugins). If it’s 2.3.8 or below, update ASAP or deactivate.
2. Monitor for Unusual Buttons:
Check for unknown new buttons, especially with suspicious code.
3. Restrict Access to wp-admin/admin-ajax.php:
Consider limiting access to trusted IPs, if possible.
Additional Resources
- Plugin Listing on WordPress.org
- Exploit Database (Search for CVE-2023-49154)
- OWASP: Broken Access Control
TL;DR
- CVE-2023-49154 is a severe access control vulnerability in the Button Generator – easily Button Builder plugin for WordPress
Stay safe and always keep your plugins updated!
(This post is original content, intended for clear and exclusive explanation. All code, descriptions, and actions are for security research and defensive purposes only.)
Timeline
Published on: 12/09/2024 13:15:34 UTC