CVE-2023-1874 Privilege Escalation Vulnerability Jeopardizes Over 10,000 WordPress Sites
A recent discovery by the Wordfence Threat Intelligence team has revealed a serious privilege escalation vulnerability in the WP Data Access plugin for WordPress, which is installed on over 10,000 sites. CVE-2023-1874, with a CVSS score of 7.5, affects versions up to and including 5.3.7 and enables authenticated attackers to grant themselves administrative privileges. To safeguard your website, it’s essential to update your WP Data Access plugin to version 5.3.8, which patches the vulnerability.
The WP Data Access plugin is designed to simplify data table creation and management in WordPress. A key feature of the plugin is role management, which allows site owners to create custom roles and assign multiple roles to users. However, this functionality was insecurely implemented, making it possible for authenticated users, even those with minimal permissions like subscribers, to assign themselves any role, including administrator.
The issue lies in the lack of authorization checks on the multiple_roles_update function. When the ‘Enable role management‘ setting is enabled, authenticated attackers can modify their user role by supplying the ‘wpda_role[]‘ parameter during a profile update.
CVE-2023-1874 poses a significant threat to WordPress sites, as it allows for complete site compromise. Once an attacker gains administrative user access, they can manipulate the targeted site as a normal administrator would. This includes uploading plugin and theme files, which may contain backdoors, and modifying posts and pages to redirect site users to malicious sites.
The ‘multiple_roles_update‘ function, which is hooked via ‘profile_update‘, is triggered immediately after any user profile is updated. However, it does not perform any authorization checks on the user performing the action. As a result, any authenticated user can invoke the ‘multiple_roles_update‘ function.
The function checks whether the role management setting is enabled but does not perform any additional checks. It then processes the supplied roles and adds the role and relevant permissions to the user. Consequently, authenticated users, such as subscribers, can supply the ‘wpda_role’ array parameter with any desired roles, like administrator, during a profile update that would be granted immediately upon saving the profile updates.
The WP Data Access plugin developers have released a patch to address this vulnerability in version 5.3.8. Site owners are strongly advised to update their plugin to the latest version to protect their sites from potential exploits.