CVE CyberSecurity Database News

CVE-2023-50373 - How Missing Authorization in WPSAAD Alt Manager Lets Attackers Bypass Security (With Exploit Example)

Poster -

A recent vulnerability, CVE-2023-50373, has been found in WPSAAD Alt Manager—an account management plugin used mostly with Minecraft servers. This flaw is due to missing authorization checks, meaning that anyone can access sensitive admin operations if the server is wrongly configured. Today, we break down what this vulnerability is, how it can be exploited, and what you can do to defend your server.

What is WPSAAD Alt Manager?

WPSAAD Alt Manager is a plugin/mod designed for Minecraft server admins to help manage alternate accounts (or “alts”). The plugin offers features to manage, approve, or deny alt accounts connecting to a server. It’s popular because it makes controlling unauthorized access easier.

Affected Versions: All versions up to 1.6.1

- Impact: Anyone can perform admin-level actions if the server’s access control is not configured properly.

The root problem: Admin endpoints in the plugin do not check if the requester is authorized. Bad actors can simply call the endpoints and execute restricted operations!

How Does The Attack Work?

Let’s say you have a Minecraft server using WPSAAD Alt Manager—perhaps you approve or ban users using a simple web interface or direct API endpoints.

If access controls are loose (like the plugin is exposed to the public or on a poorly secured internal network), *anyone* can craft HTTP requests to those endpoints and execute admin actions. No login, no session, no nothing.

Let’s say the endpoint that bans alts is

POST /altmanager/ban
Content-Type: application/json

{
  "altName": "badPlayer01"
}

A legitimate admin might use this from the server interface. But because of the bug, *anyone* could do this with tools like curl or Postman:

curl -X POST http://your-mc-server:808/altmanager/ban \
  -H "Content-Type: application/json" \
  -d '{"altName": "victimAccount"}'

No authentication is required. The plugin never checks if you are actually an admin!

Whitelisting Alts: Attackers could add their own alt accounts, bypassing your restrictions.

- Leak Server Data: If you have endpoints to list all registered/alts, someone could scrape your user lists.
- Potential for Botnet Attacks: Attackers could script mass registrations or bans, totally disrupting your community.

Are any of its HTTP endpoints exposed outside localhost? (External networks or internet-facing)

- Is access control for admin/management endpoints missing or optional?

If you answer “yes” to any of these, you’re at risk.

Upgrade the Plugin

Check the official plugin page or the GitHub repository for updates fixing this issue.

Add Authentication

If you must expose the panel, *put it behind strong authentication* (HTTP Basic Auth, session tokens, etc).

References

- CVE Details - CVE-2023-50373
- NVD Detail: CVE-2023-50373
- WPSAAD Alt Manager on SpigotMC
- OWASP Access Control Cheat Sheet

Final Thoughts

CVE-2023-50373 is a reminder that access control mistakes are common—and dangerous in community server plugins. If you’re running WPSAAD Alt Manager or similar mods, always check how your admin features are secured.

Always update, restrict, and reuse security best practices.
Feel free to share this with other server admins and stay safe out there!


> *This article is by security researchers for the community—please use this info responsibly. If you find a flaw, report it to developers, not just Twitter!*


*Want more Minecraft security tips or have a server plugin you want us to check? Comment below!*

Timeline

Published on: 12/09/2024 13:15:38 UTC