CVE-2023-47836

Vulnerability

Overview

The WP Meta and Date Remover plugin for WordPress (versions through 2.3.0) suffers from a missing authorization vulnerability. This issue stems from incorrectly configured access control security levels, allowing actions that should be restricted to higher-privileged users to be performed without proper authentication or nonce verification [1]. The vulnerability is classified as a broken access control flaw, which means the plugin fails to adequately check user permissions before executing certain functions.

Exploitation

Conditions

Attackers can exploit this vulnerability without needing any prior authentication, making it accessible from the public internet. The exposure allows them to trigger unauthorized actions within the plugin's administrative interface. Given that this is a WordPress plugin, exploitation can be carried out remotely by sending specially crafted requests to any site running an affected version [1].

Impact

An attacker leveraging this flaw could manipulate plugin settings or perform privileged actions, potentially leading to the removal of post metadata or author information from published content. While the vulnerability has a CVSS score of 5.4 (Medium), Patchstack notes it has low severity impact and is unlikely to be exploited in mass campaigns, though such vulnerabilities are sometimes used in automated attacks against thousands of sites [1].

Mitigation

The maintainers have released version 2.3.1 which resolves the broken access control issue. Users are strongly advised to update to this patched version immediately. For those unable to update, Patchstack provides a mitigation rule that blocks attacks targeting this vulnerability until a proper update can be applied [1].