During testing of the plugin, a vulnerability was discovered that allows the user, starting from the “Subscriber” (lower privs) privileges, to access AJAX requests that can output the following data: phpinfo() and all the information that the plugin can output about the web application
Main info:
| CVE | CVE-2023-5711 |
| Plugin | System Dashboard <= 2.8.7 |
| Critical | Medium |
| All Time | 20 534 |
| Active installations | 1 000+ |
| Publicly Published | January 1, 2024 |
| Last Updated | January 1, 2024 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A3: Sensitive Data Exposure |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5711 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/system-dashboard/system-dashboard-288-missing-authorization-to-information-disclosure-sd-php-info |
| Plugin Security Certification by CleanTalk |  |
Timeline
| November 10, 2023 | Plugin testing and vulnerability detection in the System Dashboard plugin have been completed |
| November 10, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 15, 2023 | The author fixed the vulnerability and released the plugin update |
| January 1, 2024 | Registered CVE-2023-5711 |
Discovery of the Vulnerability
During the examination of the System Dashboard plugin for WordPress, a security vulnerability was identified that allows unauthorized access to sensitive data. This flaw stems from a lack of capability check on the sd_php_info() function, which is hooked via an AJAX action in all versions of the plugin up to, and including, 2.8.7. As a result, authenticated attackers with subscriber-level access and above can exploit this vulnerability to retrieve sensitive information provided by PHP info.
Understanding of Broken Logic Control attack’s
Broken logic control vulnerabilities occur when the logic or conditions used to enforce security checks or access controls within an application are flawed or improperly implemented. In WordPress, such vulnerabilities can lead to unintended consequences, such as unauthorized access to sensitive data or functionality. Real examples of broken logic control vulnerabilities in WordPress include bypassing authentication mechanisms, accessing restricted resources, or executing privileged actions without proper authorization. In the case of the System Dashboard plugin, the absence of a capability check allows attackers to circumvent access controls and retrieve PHP info data.
Exploiting the Broken Logic Control Vulnerability
To exploit the broken logic control vulnerability in the System Dashboard plugin, an authenticated attacker with subscriber-level access or higher can trigger the sd_php_info() function through an AJAX request. Since the plugin fails to enforce proper capability checks, the attacker can retrieve PHP info data without the necessary permissions.
By exploiting this vulnerability, the attacker can gain insight into sensitive server information, potentially identifying weaknesses or misconfigurations that could be exploited further.
POC request:
https://your_site/wordpress/wp-admin/admin-ajax.php?action=sd_php_info&fast_ajax=true&load_plugins[]=system-dashboard
___
Recommendations for Improved Security
- Update the System Dashboard plugin to the latest patched version provided by the plugin developer.
- Implement proper access controls and capability checks to restrict access to sensitive functionality or data.
- Regularly audit and monitor plugin code for vulnerabilities, and promptly apply security patches or fixes as they become available.
- Educate users, especially administrators and developers, about the importance of securing sensitive information and practicing safe coding practices.
- Consider utilizing security plugins or web application firewalls (WAFs) that can detect and block unauthorized access attempts or suspicious activity.
- Stay informed about security best practices and emerging threats by subscribing to security mailing lists, following security blogs, and participating in relevant communities or forums.
By addressing these recommendations, the System Dashboard plugin can significantly bolster its security posture, preventing unauthorized access to sensitive data and enhancing the overall protection of WordPress installations.
#WordPressSecurity #BrokenLogicControl #WebsiteSafety #StayProtected #MediumVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
