CVE-2023–2986: WordPress Plugin Vulnerability and the importance of PoC

Introduction

On June 6th 2023, a vulnerability was disclosed by WordFence in the ‘Abandoned Cart Lite’ plugin (30k+ active installations) which is used for the WooCommerce plugin (5 million active installations) in WordPress. This plugin serves to monitor users or customers who exit the website after placing items in their cart, subsequently sending them reminders linked to their abandoned carts. When the customers click on these links, the plugin automatically logs them back in and redirects them to their previously filled shopping carts.

The vulnerability assigned CVE-2023–2986, was due to a hardcoded encryption key used in the creation of the aforementioned links. Since those links also log the user in, it means that an attacker can easily create the links with the hardcoded encryption key and access the user accounts. Given the popularity of the plugin, we decided to look at the vulnerability.

Patch Analysis

If we look at the changeset mentioned in NIST references, we can see in version 5.15.0, a key called ‘wcal_security_key’ which was hardcoded was rectified.

Fig 1: Hardcoded key being removed

If we look at the function ‘wcal_email_track_links’, which seems to be related to the concerned links, we can see that the link is supposed to have the ‘wcal_action’ parameter and the ‘validate’ parameter and the entire value of the validate parameter is supposed to be decrypted.

Fig 2: function which crafts the vulnerable links

Vulnerable Setup

To further understand the vulnerability, we create a vulnerable environment following similar steps from our previous blog. We need to do the following:

• Install WordPress software, the WooCommerce plugin and the Abandoned cart plugin (version — 5.14.2) and complete the basic setup of WooCommerce.
• We visit the created shop as a user and add some items to the cart and walk away.

Exploit Creation

We looked at the SQL database used for the WordPress installation and checked out the ‘wp_ac_abandoned_cart_history_lite’ table created. We noticed some links which look like the ones we have been discussing till now. To verify that, we copied the link to a browser, and saw that we are auto logged in and taken to the cart as expected.

Fig 3: Links as seen in the database

Fig 4: Links logging the user in

Continuing the discussion on the structure of the link, the contents of the validate param should be decrypted. We copied the AES decryption logic from the vulnerable library itself and tried to decrypt with the hardcoded key. It didn’t work but then we tried an empty encryption key and that was a success.

Fig 5: Decrypting the vulnerable links

The decrypted text shown in the above image seems to have a cart id ‘1’ and a URL to the checkout link. So, for exploitation, an attacker only needs the cart id and whichever user was the owner of the cart would get compromised.

We created a Proof-of-Concept which will enumerate the user ids (starting from 1), encrypt with the empty key and verify if authentication bypass works.

Fig 6: ATI provided proof-of-concept exploiting

If the user is an admin user like this one, it can lead to compromise of the WordPress admin account which ultimately leads to remote code execution.

We have shared the Proof-of-Concept we created as part of the process at: https://github.com/Ayantaker/CVE-2023-2986

Did the patch work?

We used our Proof of Concept to test out the supposedly patched versions 5.15.0 and found that the vulnerability wasn’t completely patched, and we were still able to exploit. We reported the issue to the plugin author and ultimately the plugin was completely patched in 5.15.2. If we look at the description of the CVE, we see it was updated to include the following -

“Further security hardening was introduced in version 5.15.1 that ensures sites are no longer vulnerable through historical check-out links, and additional hardening was introduced in version 5.15.2 that ensured null key values wouldn’t permit the authentication bypass.”

Conclusion

In this blog, we analyzed the vulnerability that is targeting the WordPress plugin. We saw how root cause analysis like these can help us researchers create proof of concepts for new vulnerabilities that are disclosed. This exploration underscored the vital role these proofs of concepts play — not just as tools that could be misused by attackers, but as essential mechanisms to ensure future versions are patched effectively.

Originally published at https://www.keysight.com.