CVE-2023-52147

Vulnerability

The All In One WP Security & Firewall plugin for WordPress fails to properly constrain access to certain functionality, resulting in exposure of sensitive information to unauthorized actors. This issue affects versions from n/a through 5.2.4. The vulnerability is classified as an ACL bypass.

Exploitation

An attacker can exploit this vulnerability by directly accessing restricted endpoints or performing actions that should require higher privileges, without proper authentication or authorization checks. No special network position is required; the attacker only needs to be able to send HTTP requests to the WordPress site.

Impact

Successful exploitation allows an unauthorized actor to access sensitive information, such as configuration details or user data, that should be protected by access control lists. The impact is limited to information disclosure, with no direct code execution or privilege escalation.

Mitigation

A fix was introduced in version 5.2.5 of the plugin. Users should update to a version later than 5.2.4. The latest version available is 5.4.7 [1]. If unable to update, consider restricting access to the plugin's functionality via other security measures or disabling the plugin until a patched version can be applied.