CVE-2023-32094

Vulnerability

Overview

The Extended Post Status plugin for WordPress, versions prior to 1.0.20, contains a missing authorization vulnerability. This flaw stems from the plugin's failure to properly verify access control checks when processing certain requests, allowing attackers to bypass intended security restrictions [1]. The issue is classified as a broken access control vulnerability, which can be exploited to perform actions that should require higher privileges.

Exploitation

Details

An attacker can exploit this vulnerability without needing any prior authentication, as the missing authorization check leaves the affected functions exposed. By sending specially crafted HTTP requests to the WordPress site, an unauthenticated user can trigger unauthorized operations that the plugin normally restricts to higher-privileged roles [1]. The attack surface is broad because the plugin is widely used, and the vulnerability can be chained with other weaknesses in mass-exploit campaigns.

Impact

Successful exploitation allows an attacker to manipulate post statuses or perform other administrative actions that should be protected. This could lead to unauthorized content modifications, privilege escalation, or further compromise of the WordPress site. The CVSS score of 5.4 (Medium) reflects the potential for significant disruption, though the vulnerability is considered low severity in isolation [1].

Mitigation

The vendor has released version 1.0.20, which addresses the missing authorization issue. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a virtual patching rule to block exploitation attempts until the update can be applied [1]. Given the plugin's use in mass-exploit campaigns, timely remediation is critical.