During testing of the plugin, a vulnerability was discovered that allows the user, starting from the “Subscriber” (lower privs) privileges, to access AJAX requests that can output the following data: password and login from the database – which is very critical, password and login from the mailbox, phpinfo() and all the information that the plugin can output about the web application
Main info:
| CVE | CVE-2023-5713 |
| Plugin | System Dashboard <= 2.8.7 |
| Critical | Very High |
| All Time | 20 534 |
| Active installations | 1 000+ |
| Publicly Published | January 1, 2024 |
| Last Updated | January 1, 2024 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A3: Sensitive Data Exposure |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5713 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/system-dashboard/system-dashboard-287-missing-authorization-to-information-disclosure-sd-option-value |
| Plugin Security Certification by CleanTalk |  |
Timeline
| November 10, 2023 | Plugin testing and vulnerability detection in the System Dashboard plugin have been completed |
| November 10, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 15, 2023 | The author fixed the vulnerability and released the plugin update |
| January 1, 2024 | Registered CVE-2023-5713 |
Discovery of the Vulnerability
During extensive testing of the System Dashboard plugin for WordPress, a critical vulnerability was identified. This flaw allows users, even those with the relatively lower privileges of a “Subscriber,” to exploit AJAX requests that retrieve highly sensitive information. The compromised data includes login credentials stored in the database, passwords linked to email accounts, phpinfo() outputs, and comprehensive information about the web application.
Understanding of Broken Logic Control attack’s
The vulnerability stems from a breakdown in the logical controls within the System Dashboard plugin. Logical controls are meant to ensure that users can only access information and functionalities appropriate for their assigned roles. In this case, the plugin fails to implement proper checks, enabling users with lower privileges to make unauthorized AJAX requests and retrieve critical data.
Real-world examples of broken logic vulnerabilities often involve scenarios where privilege escalation is possible, allowing users to access sensitive data or perform actions beyond the scope of their assigned roles. In the context of System Dashboard, this flaw represents a significant lapse in the logical controls meant to safeguard sensitive information.
Exploiting the Broken Logic Control Vulnerability
Exploiting the broken logic vulnerability in System Dashboard entails initiating AJAX requests that the plugin should restrict to higher-privileged roles. By leveraging this flaw, a user with Subscriber-level access or above can extract login credentials from the database, access email account passwords, obtain phpinfo() outputs, and retrieve other detailed information about the web application.
Attackers could craft specific requests or manipulate existing functionalities within the plugin to bypass logical controls, gaining unauthorized access to sensitive data.
POC request:
https://your_site/wordpress/wp-admin/admin-ajax.php?action=sd_option_value&option_name=mailserver_pass&fast_ajax=true&load_plugins%5B%5D=system-dashboard%2Fsystem-dashboard.php
___
The potential risks associated with this vulnerability are severe. Unauthorized access to login credentials, email passwords, and detailed information about the web application could lead to a range of malicious activities, including unauthorized account access, data theft, and potentially, full compromise of the web application.
In a real-world scenario, an attacker with Subscriber-level access could exploit this vulnerability to extract login credentials from the database, compromise email accounts, and gather comprehensive information about the web application’s configuration.
Recommendations for Improved Security
- Role-Based Access Control (RBAC): Implement robust RBAC mechanisms to ensure that each user role has appropriately restricted access based on the principle of least privilege.
- AJAX Request Authentication: Implement strong authentication mechanisms for AJAX requests, ensuring that only authorized users can access sensitive functionalities.
- Regular Security Audits: Conduct regular security audits of the plugin’s codebase to identify and rectify vulnerabilities, including those related to logical controls.
- User Input Validation: Implement thorough validation and sanitization of user inputs to prevent injection attacks and unauthorized access.
- Security Patching: Promptly release and apply security patches to address vulnerabilities as they are discovered.
By addressing these recommendations, the System Dashboard plugin can significantly bolster its security posture, preventing unauthorized access to sensitive data and enhancing the overall protection of WordPress installations.
#WordPressSecurity #BorkenLogicControl #WebsiteSafety #StayProtected #SuperHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
