2023’s Critical WordPress Vulnerabilities and How They Work

2023’s Critical WordPress Vulnerabilities and How They Work 🎉 Did you know we’re running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure! In 2023, the Wordfence Threat Intelligence team’s primary focus was to research high-impact, high- or critical-severity vulnerabilities. This means that we spent a lot of time looking for vulnerabilities like arbitrary file uploads, user password resets, authentication bypasses, and privilege escalations. Fortunately, we were able to discover a lot of these vulnerabilities and get them remediated before attackers could find and exploit them. Now that we have launched our Bug Bounty Program that pays the biggest bounties for the most impactful research, we hope to continue a positive trend of researchers finding critical, high impact vulnerabilities and responsibly disclosing those through our program so we can work with vendors to ensure they get patched. In today’s post, we’d like to highlight some of the big vulnerabilities of 2023 that we focused on, along with providing some background on these vulnerability types. 2023 Wordfence Critical Vulnerability Research in Review Authentication Bypass An authentication bypass vulnerability occurs when an attacker exploits weaknesses in the authentication mechanism to log into a user’s account, typically a high-privileged user. These vulnerabilities make it easy for threat actors to completely compromise a vulnerable WordPress site with minimal user interaction and often easy automation. Authentication bypass exploits are special in that the attacker does not change or even know the credentials, but instead bypasses the authentication process. This means that the victim does not notice the attack, because their account is not changed, and the WordPress website administrator can log in in the same way. Note that most authentication bypass vulnerabilities in WordPress also bypass two-factor authentication, so even that does not protect against the attack. It’s important to run a WordPress specific web application firewall, such as Wordfence, to provide protection against these types of attacks. As seen, a single exploit request is enough for the attacker to gain administrator privileges on the website. The Wordfence Team found a total of 13 authentication bypass vulnerabilities in 2023. You can find the details of these vulnerabilities below. UserPro <= 5.1.1 – Authentication Bypass to Administrator Plugin Slug: userpro Affected Versions: <= 5.1.1 CVE ID: CVE-2023-2437 CVSS Score: 9.8 (Critical) Researcher/s: István Márton RegistrationMagic <= 5.2.1.0 – Authentication Bypass Plugin Slug: custom-registration-form-builder-with-submission-manager Affected Versions: <= 9.8 CVE ID: CVE-2023-2499 CVSS Score: 9.8 (Critical) Researcher/s: István Márton WP User Switch <= 1.0.2 – Authenticated (Subscriber+) Authentication Bypass via Cookie Plugin Slug: wp-user-switch Affected Versions: <= 1.0.2 CVE ID: CVE-2023-2546 CVSS Score: 8.8 (High) Researcher/s: István Márton BP Social Connect <= 1.5 – Authentication Bypass Plugin Slug: bp-social-connect Affected Versions: <= 1.5 CVE ID: CVE-2023-2704 CVSS Score: 9.8 (Critical) Researcher/s: István Márton MStore API <= 3.9.0 – Authentication Bypass Plugin Slug: mstore-api Affected Versions: <= 3.9.0 CVE ID: CVE-2023-2733 CVSS Score: 9.8 (Critical) Researcher/s: István Márton MStore API <= 3.9.1 – Authentication Bypass Plugin Slug: mstore-api Affected Versions: <= 3.9.1 CVE ID: CVE-2023-2734 CVSS Score: 9.8 (Critical) Researcher/s: István Márton MStore API <= 3.9.2 – Authentication Bypass Plugin Slug: mstore-api Affected Versions: <= 3.9.2 CVE ID: CVE-2023-2732 CVSS Score: 9.8 (Critical) Researcher/s: István Márton User Email Verification for WooCommerce <= 3.5.0 – Authentication Bypass Plugin Slug: woo-confirmation-email Affected Versions: <= 3.5.0 CVE ID: CVE-2023-2781 CVSS Score: 8.1 (High) Researcher/s: István Márton BookIt <= 2.3.7 – Authentication Bypass Plugin Slug: bookit Affected Versions: <= 2.3.7 CVE ID: CVE-2023-2834 CVSS Score: 9.8 (Critical) Researcher/s: István Márton WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.6.4 – Authentication Bypass Plugin Slug: miniorange-login-openid Affected Versions: <= 7.6.4 CVE ID: CVE-2023-2982 CVSS Score: 9.8 (Critical) Researcher/s: István Márton Abandoned Cart Lite for WooCommerce <= 5.15.1 – Authentication Bypass Plugin Slug: woocommerce-abandoned-cart Affected Versions: <= 5.15.1 CVE ID: CVE-2023-2986 CVSS Score: 9.8 (Critical) Researcher/s: István Márton Stripe Payment Plugin for WooCommerce <= 3.7.7 – Authentication Bypass Plugin Slug: payment-gateway-stripe-and-woocommerce-integration Affected Versions: <= 3.7.7 CVE ID: CVE-2023-3162 CVSS Score: 9.8 (Critical) Researcher/s: István Márton Web3 – Crypto wallet Login & NFT token gating <= 2.6.0 – Authentication Bypass Plugin Slug: web3-authentication Affected Versions: <= 2.6.0 CVE ID: CVE-2023-3249 CVSS Score: 9.8 (Critical) Researcher/s: István Márton Privilege Escalation A privilege escalation vulnerability occurs when an attacker exploits weaknesses in user management, modifying a low-privileged account, such as a subscriber, to elevate it to a high-privileged account, effectively becoming an administrator. These vulnerabilities also make it easy for threat actors to completely compromise a vulnerable WordPress site, however, they typically require at least some form of access on the site in order for privileges to be elevated. As shown, a single exploit request is typically enough for the attacker to gain administrator privileges on the website. We found a total of 12 privilege escalation vulnerabilities in 2023. The more serious vulnerabilities, which can be exploited with low privileges, are listed below (11 out of 12 in total): UserPro <= 5.1.4 – Authenticated (Subscriber+) Privilege Escalation Plugin Slug: userpro Affected Versions: <= 5.1.4 CVE ID: CVE-2023-6009 CVSS Score: 8.8 (High) Researcher/s: István Márton Feather Login Page 1.0.7 – 1.1.1 – Missing Authorization to Authentication Bypass and Privilege Escalation Plugin Slug: feather-login-page Affected Versions: 1.0.7 – 1.1.1 CVE ID: CVE-2023-2545 CVSS Score: 8.1 (High) Researcher/s: István Márton OTP Login Woocommerce & Gravity Forms <= 2.2 – Authentication Bypass to Privilege Escalation Plugin Slug: mobile-login-woocommerce Affected Versions: <= 2.2 CVE ID: CVE-2023-2706 CVSS Score: 8.1 (High) Researcher/s: István Márton ReviewX <= 1.6.13 – Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation Plugin Slug: reviewx Affected Versions: <= 1.6.13 CVE ID: CVE-2023-2833 CVSS Score: 8.8 (High) Researcher/s: István Márton ProfileGrid <= 5.5.2 – Missing Authorization to Arbitrary Group Option Modification and Privilege Escalation Plugin Slug: profilegrid-user-profiles-groups-and-communities Affected Versions: <= 5.5.2 CVE ID: CVE-2023-3714 CVSS Score: 7.5 (High) Researcher/s: István Márton WP Project Manager <= 2.6.4 – Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation Plugin Slug: wedevs-project-manager Affected Versions: <= 2.6.4 CVE ID: CVE-2023-3636 CVSS Score: 8.8 (High) Researcher/s: István Márton, Chloe Chamberland BAN Users <= 1.5.3 – Missing Authorization to Authenticated (Subscriber+) Settings Update & Privilege Escalation Plugin Slug: ban-users Affected Versions: <= 1.5.3 CVE ID: CVE-2023-4153 CVSS Score: 8.8 (High) Researcher/s: István Márton Real Estate Manager <= 6.7.1 – Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation Plugin Slug: real-estate-manager Affected Versions: <= 6.7.1 CVE ID: CVE-2023-4239 CVSS Score: 8.8 (High) Researcher/s: István Márton Premium Packages – Sell Digital Products Securely <= 5.7.4 – Arbitrary User Meta Update to Authenticated (Subscriber+) Privilege Escalation Plugin Slug: wpdm-premium-packages Affected Versions: <= 5.7.4 CVE ID: CVE-2023-4293 CVSS Score: 8.8 (High) Researcher/s: István Márton Donation Forms by Charitable <= 1.7.0.12 – Unauthenticated Privilege Escalation Plugin Slug: charitable Affected Versions: <= 1.7.0.12 CVE ID: CVE-2023-4404 CVSS Score: 9.8 (Critical) Researcher/s: István Márton WP Data Access <= 5.3.7 – Authenticated (Subscriber+) Privilege Escalation Plugin Slug: wp-data-access Affected Versions: <= 5.3.7 CVE ID: CVE-2023-1874 CVSS Score: 7.5 (High) Researcher/s: Chloe Chamberland Arbitrary File Upload An arbitrary file upload vulnerability occurs when an attacker exploits weaknesses in file management, uploading a malicious php file that allows an attacker to execute remote code. These vulnerabilities also make it easy for threat actors to completely compromise a vulnerable WordPress site and are often a prime target for threat actors looking to upload malware and backdoors/webshells to maintain persistence. As seen, also a single exploit request is enough for the attacker to upload a malicious php file to the website. All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability type by default thanks to the Wordfence Firewall’s built-in Malicious File Upload protection, which makes use of a layered approach to detect and block malicious file uploads. We found a total of 20 arbitrary file upload vulnerabilities in 2023. The more serious vulnerabilities, which can be exploited with low privileges, are listed below (9 out of 20 in total): Go Pricing – WordPress Responsive Pricing Tables <= 3.3.19 – Improper Authorization to Arbitrary File Upload Plugin Slug: go_pricing Affected Versions: <= 3.3.19 CVE ID: CVE-2023-2496 CVSS Score: 7.1 (High) Researcher/s: István Márton User Registration <= 3.0.2 – Authenticated (Subscriber+) Arbitrary File Upload Plugin Slug: user-registration Affected Versions: <= 3.0.2 CVE ID: CVE-2023-3342 CVSS Score: 9.9 (Critical) Researcher/s: István Márton Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.7.3 – Unauthenticated Arbitrary File Upload Plugin Slug: drag-and-drop-multiple-file-upload-contact-form-7 Affected Versions: <= 1.3.7.3 CVE ID: CVE-2023-5822 CVSS Score: 8.1 (High) Researcher/s: István Márton Paid Memberships Pro <= 2.12.3 – Authenticated (Subscriber+) Arbitrary File Upload Plugin Slug: paid-memberships-pro Affected Versions: <= 2.12.3 CVE ID: CVE-2023-6187 CVSS Score: 7.5 (High) Researcher/s: István Márton Piotnet Forms <= 1.0.26 – Unauthenticated Arbitrary File Upload Plugin Slug: piotnetforms Affected Versions: <= 1.0.26 CVE ID: CVE-2023-6220 CVSS Score: 8.1 (High) Researcher/s: István Márton MW WP Form <= 5.0.1 – Unauthenticated Arbitrary File Upload Plugin Slug: mw-wp-form Affected Versions: <= 5.0.1 CVE ID: CVE-2023-6316 CVSS Score: 9.8 (Critical) Researcher/s: István Márton Unlimited Addons for WPBakery Page Builder <= 1.0.42 – Authenticated (Editor+) Arbitrary File Upload Plugin Slug: unlimited-addons-for-wpbakery-page-builder Affected Versions: <= 1.0.42 CVE ID: CVE-2023-6925 CVSS Score: 7.2 (High) Researcher/s: István Márton Note: Contributors can also use the page builder depending on the plugin settings. Essential Real Estate <= 4.3.5 – Authenticated (Subscriber+) Arbitrary File Upload Plugin Slug: essential-real-estate Affected Versions: <= 4.3.5 CVE ID: CVE-2023-6827 CVSS Score: 7.5 (High) Researcher/s: István Márton Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.66 – Authenticated (Contributor+) Arbitrary File Upload Plugin Slug: unlimited-elements-for-elementor Affected Versions: <= 1.5.66 CVE ID: CVE-2023-3295 CVSS Score: 8.8 (High) Researcher/s: Chloe Chamberland, and another researcher (duplicated) Arbitrary File Deletion An arbitrary file deletion vulnerability occurs when an attacker exploits weaknesses in file management. This can be used to delete any file, however, attackers often target the wp-config.php in WordPress. Deleting the wp-config.php file allows an attacker to reset the installation and gain administrator access to the site by pointing it to a remote database under their control. This makes it possible to achieve remote code execution on the server. As such, these vulnerabilities also make it easy for threat actors to completely compromise a vulnerable WordPress site. All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability type by default thanks to the Wordfence Firewall’s built-in Directory Traversal and Local File Inclusion protection. We found a total of 1 arbitrary file deletion vulnerability in 2023. AI ChatBot <= 4.8.9 and 4.9.2- Authenticated (Subscriber+) Arbitrary File Deletion via qcld_openai_delete_training_file Plugin Slug: chatbot Affected Versions: 4.9.2 – 4.9.2, <= 4.8.9 CVE ID: CVE-2023-5212 CVSS Score: 9.6 (Critical) Researcher/s: Marco Wotschka, Chloe Chamberland Arbitrary User Password Change An arbitrary user password change vulnerability occurs when an attacker exploits weaknesses in user management, typically through an insecure direct object reference vulnerability, providing a specific value to modify the password of an ‘admin’ account instead of their attacker’s own ‘user’ account. This can easily be used by attackers to take over administrative user accounts and further infect a victim. As seen, a single exploit request is enough for the attacker to change the administrator password on the website. We found a total of 7 arbitrary user password change vulnerabilities in 2023. The more serious vulnerabilities are listed below, which can also be exploited with low privileges (5 out of 7 in total): WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.10.7 – Unauthenticated Insecure Direct Object Reference to Arbitrary User Password Change Plugin Slug: wc-multivendor-membership Affected Versions: <= 2.10.7 CVE ID: CVE-2023-2276 CVSS Score: 9.8 (Critical) Researcher/s: István Márton SP Project & Document Manager <= 4.67 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change Plugin Slug: sp-client-document-manager Affected Versions: <= 4.67 CVE ID: CVE-2023-3063 CVSS Score: 8.8 (High) Researcher/s: István Márton LearnDash LMS <= 4.6.0 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change Plugin Slug: sfwd-lms Affected Versions: <= 4.6.0 CVE ID: CVE-2023-3105 CVSS Score: 8.8 (High) Researcher/s: István Márton Simplr Registration Form Plus+ <= 2.4.5 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change Plugin Slug: simplr-registration-form Affected Versions: <= 2.4.5 CVE ID: CVE-2023-4213 CVSS Score: 8.8 (High) Researcher/s: István Márton Directorist <= 7.5.4 – Authenticated (Subscriber+) Arbitrary User Password Reset to Privilege Escalation Plugin Slug: directorist Affected Versions: <= 7.5.4 CVE ID: CVE-2023-1888 CVSS Score: 8.8 (High) Researcher/s: Alex Thomas Local or Remote File Inclusion A local file inclusion vulnerability occurs when an attacker exploits weaknesses in file management to include or execute arbitrary files on the server. Attackers once again often target wp-config.php, which contains database credentials and secret keys. A remote file inclusion vulnerability, on the other hand, allows remote code execution by directly allowing attackers to execute code from a remote site under their control. All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting local file inclusion vulnerabilities thanks to the Wordfence Firewall’s built-in Directory Traversal and Local File Inclusion protection. We found a total of 8 local or remote file inclusion vulnerabilities in 2023. The more serious vulnerabilities are listed below, which can also be exploited with low privileges (7 out of 8 in total): Dropbox Folder Share <= 1.9.7 – Unauthenticated Local File Inclusion Plugin Slug: dropbox-folder-share Affected Versions: <= 1.9.7 CVE ID: CVE-2023-4488 CVSS Score: 9.8 (Critical) Researcher/s: Marco Wotschka Canto <= 3.0.4 – Unauthenticated Remote File Inclusion Plugin Slug: canto Affected Versions: <= 3.0.4 CVE ID: CVE-2023-3452 CVSS Score: 9.8 (Critical) Researcher/s: Marco Wotschka LWS Affiliation <= 2.2.6 – Unauthenticated Remote/Local File Inclusion Plugin Slug: lws-affiliation Affected Versions: <= 2.2.6 CVE ID: CVE-2023-32297 CVSS Score: 9.8 (Critical) Researcher/s: Marco Wotschka, and another researcher (duplicated) WP Directory Kit <= 1.1.9 – Unauthenticated Local File Inclusion via wdk_public_action Plugin Slug: wpdirectorykit Affected Versions: <= 1.1.9 CVE ID: CVE-2023-2278 CVSS Score: 9.8 (Critical) Researcher/s: István Márton PHP to Page <= 0.3 – Authenticated (Subscriber+) Local File Inclusion to Remote Code Execution via Shortcode Plugin Slug: php-to-page Affected Versions: <= 0.3 CVE ID: CVE-2023-5199 CVSS Score: 9.9 (Critical) Researcher/s: István Márton Grid Plus <= 1.3.3 – Authenticated (Subscriber+) Local File Inclusion via Shortcode Plugin Slug: grid-plus Affected Versions: <= 1.3.3 CVE ID: CVE-2023-5199 CVSS Score: 8.8 (High) Researcher/s: István Márton HTML filter and csv-file search <= 2.7 – Authenticated (Contributor+) Local File Inclusion via Shortcode Plugin Slug: hk-filter-and-search Affected Versions: <= 2.7 CVE ID: CVE-2023-5099 CVSS Score: 8.8 (High) Researcher/s: Alex Thomas Remote Code Execution The remote code execution vulnerability occurs when an attacker is able to execute arbitrary remote code on the server. This can be used by attackers to upload malware, maintain persistence, and further compromise the victim’s server. We found a total of 5 remote code execution vulnerabilities in 2023. The more serious vulnerabilities are listed below, which can also be exploited with low privileges (3 out of 5 in total): Allow PHP in Posts and Pages <= 3.0.4 – Authenticated (Subscriber+) Remote Code Execution via Shortcode Plugin Slug: allow-php-in-posts-and-pages Affected Versions: <= 3.0.4 CVE ID: CVE-2023-4994 CVSS Score: 9.9 (Critical) Researcher/s: István Márton OpenHook <= 4.3.0 – Authenticated (Subscriber+) Remote Code Execution via Shortcode Plugin Slug: thesis-openhook Affected Versions: <= 4.3.0 CVE ID: CVE-2023-5201 CVSS Score: 9.9 (Critical) Researcher/s: István Márton Ads by datafeedr.com <= 1.1.3 – Unauthenticated (Limited) Remote Code Execution Plugin Slug: ads-by-datafeedrcom Affected Versions: <= 1.1.3 CVE ID: CVE-2023-5843 CVSS Score: 9.0 (Critical) Researcher/s: István Márton Final Summary All of the vulnerabilities we discovered and documented in 2023 were easily exploitable high impact vulnerabilities that required no user interaction. They were all prime targets for attackers, and we are glad we were able to work with the vendors to get these issues patched before attackers could find them. Due to the unique nature of many of these vulnerabilities, a new firewall rule is required in almost every case to protect against them. That is one of the reasons we strongly recommend running a WordPress-specific web application firewall like Wordfence on your WordPress site. More Vulnerabilities Found in 2023 We didn’t stop there, over the year 2023 we found several other vulnerabilities and worked with vendors to get them patched. You can read more about these vulnerability types and what we discovered below. SQL Injection A SQL injection vulnerability occurs when an attacker is able to inject arbitrary SQL code into a SQL statement. This is often used to exfiltrate sensitive data like password hashes from the database. We found more than 30 SQL injection vulnerabilities in 2023. All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability thanks to the Wordfence Firewall’s built-in SQL Injection protection. Stored Cross-Site Scripting (XSS) A stored Cross-Site Scripting vulnerability occurs when an attacker is able to store the exploit payload, often malicious JavaScript, on the website. The stored malicious code may only load on a specific admin settings page. This means that the attacker has to wait until the victim, in the most serious cases an administrator, opens the affected admin page. This is a much more complicated attack, it requires preparation and the attacker has to wait for the victim, but the impact can be critical. It may happen that the malicious script is stored on a public and easily accessible page, even on the home page, but this is the rarest case. As with all XSS vulnerabilities, a malicious payload could be used to perform actions as an administrator, including adding new malicious administrator users to the site and embedding backdoors in plugin and theme files, as well as redirecting users to malicious sites. We found a total of more than 170 stored cross-site scripting vulnerabilities in 2023. Highlighting Alex Thomas’s research, who found unauthenticated stored cross-site scripting vulnerabilities in a total of 14 email plugins. Title: Multiple WordPress Plugins – Unauthenticated Stored Cross-Site Scripting via Email CVSS Score: 7.2 (High) Researcher/s: Alex Thomas Highlighting the Wordfence Threat Intelligence team’s research, where we found shortcode-based stored cross-site scripting vulnerabilities in more than 100 plugins. Title: Multiple WordPress Plugins – Contributor+ Stored Cross-Site Scripting via Shortcode CVSS Score: 6.4 (Medium) Researcher/s: István Márton, Alex Thomas All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability thanks to the Wordfence Firewall’s built-in Cross-Site Scripting protection. Reflected Cross-Site Scripting (XSS) A Reflected Cross-site Scripting vulnerability occurs when an attacker exploits improper escaping and sanitization in an URL parameter, crafting a specific link that contains the XSS payload. The attacker must wait for the victim to open the link. This XSS type generally involves some degree of social engineering in order to be successful and it’s worth noting that the payload is never stored on the server so the chance of success relies on the initial interaction with the user. All Wordfence users, including those using Wordfence Free, Premium, Care, and Response, are protected from exploits targeting this type of vulnerability thanks to the Wordfence Firewall’s built-in Cross-Site Scripting protection. Cross-Site Request Forgery (CSRF) A Cross-Site Request Forgery makes it possible for attackers to forge requests on behalf of a site administrator, when there is a lack of a nonce check in the vulnerable function. This was one of the most common vulnerability types disclosed in 2023. The attacker must trick a victim into clicking on a link. The impact can vary widely, ranging from trivial to very serious, depending on the vulnerable code. We often don’t focus on CSRF during our research because it’s not likely to be exploited en masse due to the unique nature of CSRF. This is fortunate, as it is impractical to defend against CSRF vulnerabilities with a Web Application Firewall. Conclusion We hope to provide some insight into our research efforts with the 2023 Wordfence Critical Vulnerability Research in Review, highlighting the most impactful vulnerabilities and detailing how we protect our customers from potential threats. We express our gratitude to the talented independent researchers working to make the WordPress ecosystem more secure and hope that our own internal efforts and our Bug Bounty Program motivates them to find the most impactful vulnerabilities so that they can be responsibly disclosed. Together, we can accomplish far more than our individual efforts. Join the Bug Bounty Program today! https://www.wordfence.com/threat-intel/researcher-register

This content was originally published here.