CVE-2023-25959

The Apollo13 Framework Extensions plugin for WordPress contains a missing authorization vulnerability (CVE-2023-25959). The root cause is that the plugin fails to properly enforce access controls on certain functions, meaning it does not check whether a user has the necessary permissions before allowing an action. This is a classic broken access control issue where security levels are incorrectly configured [1].

Exploitation of this vulnerability can be carried out by an authenticated user with low privileges. No special network position is required; the attacker only needs a valid WordPress account. The lack of authorization checks allows the attacker to execute actions normally reserved for higher-privileged users, such as administrators. This type of vulnerability is often used in mass-exploit campaigns, affecting thousands of websites regardless of their traffic or popularity [1].

The impact is that an unprivileged attacker can perform unintended operations within the WordPress site, potentially including modifying settings or data that should be protected. This can lead to unauthorized changes, data exposure, or further compromise of the site.

The vulnerability affects all versions up to and including 1.8.10. The vendor has released version 1.9.0 which addresses the issue. Users are strongly advised to update to this version or enable auto-updates if using Patchstack. No workarounds are mentioned, so updating is the recommended mitigation [1].