Simple Author Box < 2.52 – Contributor+ Arbitrary User Information Disclosure via IDOR | CVE 2023-3601 | Plugin Vulnerabilities

Description

The plugin does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor.

Proof of Concept

1. Create a new Post as a Contributor user.
2. Add the "Simple Author Box" block.
3. Intercept the request to `/wp-admin/admin-ajax.php` upon addition of the block. Change the `author_ID` parameter to an ID of a user of your choosing.
4. Inspect the response to see all of the information about that user, including the hashed password.

Affects Plugins

simple-author-box

Fixed in 2.52

References

CVE

URL

https://blog.cleantalk.org/cve-2023-3601-simple-author-box-2-52-contributor-arbitrary-user-information-disclosure-via-idor/

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dmitriy

Submitter

Dmitriy

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

c0cc513e-c306-4920-9afb-e33d95a7292f

Timeline

Publicly Published

2023-07-24 (about 2 years ago)

Added

2023-07-24 (about 2 years ago)

Last Updated

2023-08-22 (about 2 years ago)

Other

Published

Title

Published

2025-01-10

Title

Unlimited Theme Addon For Elementor and WooCommerce < 1.2.3 - Authenticated (Contributor+) Post Disclosure

Published

2025-10-21

Title

All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier < 2.0.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Clocking In/Out

Published

2025-07-30

Title

Motors < 1.4.81 - Unauthenticated Insecure Direct Object Reference

Published

2022-11-12

Title

Workreap - Freelance Marketplace and Directory < 2.6.3 - Subscriber+ Private Message Disclosure via IDOR

Published

2023-12-05

Title

WP Photo Album Plus < 8.6.01.003 - Insecure Direct Object Reference