CVE-2023-28417

Vulnerability

Overview

CVE-2023-28417 is a missing authorization vulnerability in the AlexaCRM Dynamics 365 Integration plugin for WordPress, affecting versions up to 1.3.12. The plugin fails to properly enforce access control checks, allowing users with low privileges to access or execute functions that should be restricted to higher-privileged roles [1].

Exploitation

An attacker who has authenticated with a minimal WordPress role (e.g., subscriber) can exploit the missing authorization to perform actions intended for administrators or other privileged users. The vulnerability stems from a lack of authorization, authentication, or nonce token checks in certain plugin functions [1]. This type of broken access control is frequently targeted in mass-exploit campaigns, as it can be automated against thousands of sites [1].

Impact

Successful exploitation could allow an attacker to modify Dynamics 365 integration settings, access sensitive data, or perform other unauthorized operations within the WordPress environment. While the CVSS score is 5.4 (Medium), the practical impact depends on the specific misconfigured access control levels present in the plugin [1].

Mitigation

The vulnerability has been patched in version 1.3.13 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, consulting a hosting provider or web developer is recommended [1].