CVE-2024-32081 - How a Missing Authorization Vulnerability in Websupporter Filter Custom Fields & Taxonomies Light Puts WordPress Sites at Risk

The WordPress ecosystem is rich with plugins that make it easy to customize websites. But sometimes, plugins bring not just features, but also dangerous security risks. Today, we're diving deep into CVE-2024-32081, a recently discovered vulnerability in the popular "Filter Custom Fields & Taxonomies Light" plugin by Websupporter.

This issue, which affects all versions up to and including 1.05, exposes WordPress websites to unauthorized access and information disclosure. In this post, we’ll unpack what happened, show proof-of-concept code, and discuss how you can stay safe.

What is CVE-2024-32081?

CVE-2024-32081 is a Missing Authorization vulnerability. In simple terms: some plugin features can be used without checking if the person making the request is allowed to do so.

On a vulnerable WordPress site, a malicious visitor could trigger specific plugin functions—functions meant only for logged-in or privileged users. This lets attackers manipulate or access data they shouldn’t see.

Why Is This Bad?

- Attackers can access or filter information about posts, custom fields, or taxonomies without permission.
- Potential for data leakage: Information usually reserved for privileged users may be exposed to anyone on the internet.

How Does the Exploit Work?

Let's walk through a basic, realistic example.
The vulnerability centers on AJAX actions registered by the plugin. These AJAX handlers do not check if the user is logged in or authorized to access the data being filtered.

The plugin basically exposes a handler for filtering posts by custom fields or taxonomies – for example:

add_action('wp_ajax_nopriv_websupporter_filter', 'websupporter_filter_ajax_callback');
add_action('wp_ajax_websupporter_filter', 'websupporter_filter_ajax_callback');

The nopriv action means that even not-logged-in users (guests) can fire this action.

Inside the vulnerable callback function, the plugin fetches and returns requested post details, custom fields, or taxonomy information without any capability checks.

Here is a simplified vulnerable code snippet

function websupporter_filter_ajax_callback() {
    // Fetch user-supplied filter parameters
    $args = array(
        'post_type' => $_POST['post_type'],
        'meta_key' => $_POST['meta_key'],
        'meta_value' => $_POST['meta_value'],
    );
    // Runs a query with the parameters from the POST request
    $query = new WP_Query($args);

    // Echoes post results in JSON (could include sensitive info!)
    echo json_encode($query->posts);
    wp_die();
}

Proof-of-Concept: Exploiting the Vulnerability

Anyone can POST directly to the AJAX endpoint and retrieve filtered post data. Here’s how an exploit might look with curl:

curl -X POST -d "action=websupporter_filter&post_type=post&meta_key=secret_field&meta_value=*" https://targetsite.com/wp-admin/admin-ajax.php

What happens:
The plugin returns all post data matching that custom field, in clear JSON, even to unauthenticated users!

A more targeted attacker could enumerate meta fields by guessing names (secret_key, user_email, etc.), sometimes revealing private or sensitive data.

Real-World Impact: What You Could Lose

- Post meta fields and taxonomies could contain internal notes, private data, or unpublished material.

Is There a Patch?

As of this writing (June 2024), no official patch has been released by the plugin author for version 1.05 and earlier. The best course of action:

Disable the plugin immediately.

- Monitor the WordPress plugin page for updates.

`php

// Comment out or remove the nopriv action registration
// add_action('wp_ajax_nopriv_websupporter_filter', 'websupporter_filter_ajax_callback');

}

// ... existing code ...
}

Original References and Further Reading

- WPScan Vulnerability Database: CVE-2024-32081
- NVD Details for CVE-2024-32081
- Plugin Directory: Filter Custom Fields & Taxonomies Light

Conclusion

CVE-2024-32081 is a textbook example of why plugin security matters. A simple missing check in a widely installed plugin opens the gate for data exposure attacks. Until there’s an official fix, the best defense is awareness and swift action.

Take a moment to check your WordPress installs today—especially if you use Websupporter’s Filter Custom Fields & Taxonomies Light. Disable it until you’re sure you’re protected.

Stay safe, and keep your site locked down!

*This article is exclusive to this post and intended for educational, defensive security purposes only. Do not use this information for illegal activities.*

Timeline

Published on: 06/09/2024 19:15:51 UTC
Last modified on: 06/12/2024 13:32:59 UTC