CVE-2023-49851 - Exploiting Missing Authorization in ILMDESIGNS Square Thumbnails Plugin

CVE-2023-49851 is a dangerous vulnerability that was discovered in the popular WordPress plugin, Square Thumbnails, developed by ILMDESIGNS. This bug, present in all versions up to 1.1.1, allows attackers to bypass authorization checks due to wrongly configured access control. As a result, certain plugin functions that are meant for admin use only can be accessed by anyone—posing a real risk to your website!

What is Square Thumbnails?

Square Thumbnails is a WordPress plugin that helps site owners automatically generate neatly cropped square thumbnails for their content—making image galleries look nice and uniform.

How It Happens

In secure plugins, actions that change files or settings are typically protected—only users with the right permissions, like administrators, are supposed to execute them. However, in Square Thumbnails up to version 1.1.1, some sensitive actions did not check if a user was allowed to do this. Anyone—even visitors who are not logged in—could trigger these actions!

Why?

The developer forgot or incorrectly implemented the check for current_user_can() or is_admin() before running important functionality.

Suppose there is a function in the plugin like this

add_action('wp_ajax_sqthn_generate_thumbnails', 'sqthn_generate_thumbnails_callback');

function sqthn_generate_thumbnails_callback() {
    // MISSING authorization check!
    // Anyone can access this AJAX action and manipulate images.
    $post_id = intval($_POST['post_id']);
    // ... code to generate or change thumbnails ...
    wp_send_json_success('Thumbnails Updated!');
}

In secure code, this would always start with a permissions check

function sqthn_generate_thumbnails_callback() {
    if (!current_user_can('manage_options')) {
        wp_send_json_error('Not Allowed', 403);
        return;
    }
    $post_id = intval($_POST['post_id']);
    // ... rest of the code ...
}

But in Square Thumbnails, up to v1.1.1, such checks were missing for one or more AJAX actions.

Anyone can send an HTTP POST (or use tools like cURL) to trigger the plugin action.

- Attackers can repeatedly create, overwrite, or delete thumbnails—possibly even leading to denial-of-service (overloading the server or corrupting media files).

Using cURL, a remote, unauthenticated attacker could execute

curl -X POST "https://targetsite.com/wp-admin/admin-ajax.php"; \
     -d "action=sqthn_generate_thumbnails&post_id=123"

This would cause the thumbnail to be regenerated for post ID 123—even if the sender is not logged in!

> ⚠️ In serious cases, this can cripple or deface your site’s media gallery.
> How severe the impact is will depend on what the AJAX actions allow.

How to Fix

The vulnerability was fixed in later versions—by properly adding capability checks.

What Should You Do?

1. Immediately update Square Thumbnails to the latest version.

References

- Wordfence Advisory — CVE-2023-49851
- Official Plugin Page
- VulnCheck Security Report

Conclusion

A simple but critical mistake in access control has left many WordPress sites open to attacks via CVE-2023-49851. If you're using Square Thumbnails, update now. For any developer, remember: Always check user permissions before doing anything important!

Help Spread the Word

Share this guide with other site owners and developers to keep WordPress safe for everyone!

Timeline

Published on: 12/09/2024 13:15:37 UTC