All Users Messenger <= 1.24 – Subscriber+ Message Deletion via IDOR | CVE 2023-4023 | Plugin Vulnerabilities

Description

The plugin does not prevent non-administrator users from deleting messages from the all-users messenger.

Proof of Concept

1) Go to the messenger
2) Catch a request that is constantly running at intervals of 3 seconds
3) Change the message time argument to true
4) Set true for permission to delete a comment. e.g. `{"userid":2,"delete":{"1690817948":true},"submit_delete":true}`

Affects Plugins

all-users-messenger

No known fix

References

CVE

URL

https://blog.cleantalk.org/cve-2023-4023-all-users-messenger/

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

682c0226-28bd-4051-830d-8b679626213d

Timeline

Publicly Published

2023-08-07 (about 9 months ago)

Added

2023-08-07 (about 9 months ago)

Last Updated

2023-08-22 (about 8 months ago)

Other

Published

Title

Published

2024-04-24

Title

SP Project & Document Manager <= 4.71 - Data Update via IDOR

Published

2024-01-10

Title

WP Customer Area < 8.2.1 - Subscriber+ Account Address Leak

Published

2023-12-29

Title

WP User Profile Avatar < 1.0.1 - Author+ Avatar Deletion/Update via IDOR

Published

2020-12-28

Title

WooCommerce < 4.7.0 - Arbitrary Order Status Disclosure via IDOR

Published

2022-11-26

Title

wpForo Forum < 2.0.6 - Subscriber+ Forum Post Set as Private/Public via IDOR