During the testing of the plugin, a vulnerability was discovered that leads to the complete seizure of the administrator account, and subsequently the server itself. Imagine that I am an Administrator who switched to another account with a button, and at that moment an automatic screenshot was sent, every 5 seconds to the server, which sent a request to receive an admin cookie. Thus, the Administrator has lost his cookies, which means that an attacker can change the password at any time and perform RCE – which will lead to a complete capture
Main info:
| CVE | CVE-2023-7247 |
| Plugin | Login as User or Customer <= 3.8 |
| Critical | High |
| All Time | 19 234 |
| Active installations | 1 000+ |
| Publicly Published | February 20, 2023 |
| Last Updated | February 20, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A2: Broken Authentication and Session Management |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7247 https://wpscan.com/vulnerability/96b93253-31d0-4184-94b7-f1e18355d841/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| October 31, 2023 | Plugin testing and vulnerability detection in the Login as User or Customer have been completed |
| October 31, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| February 20, 2023 | Registered CVE-2023-7247 |
Discovery of the Vulnerability
During testing of the “Login as User or Customer” plugin, a critical vulnerability was identified, enabling a complete takeover of the administrator account and potentially compromising the entire server. By exploiting a flaw in the plugin’s functionality, an attacker could intercept and manipulate sensitive data, including authentication tokens and cookies, leading to unauthorized access and control over the administrator account.
Understanding of Account Takeover attack’s
Account takeover refers to the unauthorized acquisition and control of a user account by an attacker. In the context of WordPress, such attacks can have severe consequences, allowing malicious actors to gain administrative privileges and manipulate website content, steal sensitive data, or even compromise the entire server. Real-world examples of account takeover incidents in WordPress include exploiting vulnerabilities in plugins, themes, or core functionalities to bypass authentication mechanisms and gain unauthorized access.
Exploiting the Account Takeover Vulnerability
To exploit the vulnerability in the “Login as User or Customer” plugin, an attacker can trigger a series of actions that lead to the unauthorized takeover of the administrator account. By initiating a request to switch to another user account via the plugin’s interface and intercepting the subsequent server-side requests, the attacker can manipulate authentication tokens and cookies to impersonate the administrator. This allows them to gain full control over the administrator’s privileges and execute malicious actions, such as changing passwords or performing remote code execution (RCE) attacks.
POC:
1) Admin should change account via button
2) Do request:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: your_site User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 27 Origin: http://your_site Connection: close Referer: http://your_site/wordpress/ Cookie: wordpress_test_cookie=WP%20Cookie%20check; wploginas_new_user_id=2; loginas_old_user_id=1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin action=loginas_return_admin___
The potential risks associated with this vulnerability are severe, as it enables attackers to gain unauthorized access to sensitive areas of a WordPress site and compromise its integrity. In real-world scenarios, attackers could exploit this vulnerability to steal confidential information, deface the website, distribute malware, or launch other malicious activities. Additionally, the ability to perform RCE attacks could result in the complete takeover of the server, leading to data breaches, service disruptions, and reputational damage.
Recommendations for Improved Security
To mitigate the risk of account takeover vulnerabilities like CVE-2023-7247, WordPress site administrators should take several proactive measures:
- Regularly update plugins, themes, and the WordPress core to patch known vulnerabilities.
- Conduct thorough security audits of plugins and themes before installation, ensuring they adhere to best practices and security standards.
- Monitor user activity logs for suspicious behavior and promptly investigate any unauthorized access attempts.
- Educate website administrators and users about the importance of strong passwords, safe browsing habits, and security best practices to prevent account compromise.
By following these recommendations, website administrators can strengthen the security posture of their WordPress sites and reduce the risk of account takeover vulnerabilities, such as the one identified in the “Login as User or Customer” plugin.
#WordPressSecurity #AccountTakeover #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
