CVE-2023-35039
📋 TL;DR
This vulnerability allows attackers to perform unlimited authentication attempts against the WordPress Password Reset with Code plugin's REST API, enabling brute-force attacks to guess reset PINs. It affects all WordPress sites using this plugin version 0.0.15 or earlier. Attackers can potentially reset any user's password and gain unauthorized access.
💻 Affected Systems
- Password Reset with Code for WordPress REST API
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover through administrator account compromise, leading to data theft, defacement, or malware injection.
Likely Case
Unauthorized access to user accounts, potential privilege escalation, and credential theft.
If Mitigated
Limited impact with proper rate limiting and monitoring, though authentication attempts may still occur.
🎯 Exploit Status
Simple brute-force attack against REST API endpoints with no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.0.16 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Password Reset with Code for WordPress REST API'. 4. Click 'Update Now' if available, or manually update to version 0.0.16+. 5. Verify plugin is active and functioning.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Password Reset with Code plugin until patched.
wp plugin deactivate bdvs-password-reset
Implement web application firewall rules
allBlock excessive authentication attempts at the WAF level.
🧯 If You Can't Patch
- Implement rate limiting on WordPress REST API endpoints using security plugins or .htaccess rules.
- Monitor authentication logs for brute-force patterns and block suspicious IPs.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for 'Password Reset with Code for WordPress REST API' version 0.0.15 or earlier.Check Version:
wp plugin get bdvs-password-reset --field=versionVerify Fix Applied:
Confirm plugin version is 0.0.16 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Excessive POST requests to /wp-json/bdvs-password-reset/v1/ endpoints
- Multiple failed password reset attempts from single IP
Network Indicators:
- High volume of requests to WordPress REST API password reset endpoints
- Pattern of sequential PIN guessing attempts
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-json/bdvs-password-reset/v1/*" AND status=200) | stats count by src_ip🔗 References
- https://patchstack.com/database/vulnerability/bdvs-password-reset/wordpress-password-reset-with-code-for-wordpress-rest-api-plugin-0-0-15-privilege-escalation-due-to-weak-pin-generation-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/bdvs-password-reset/wordpress-password-reset-with-code-for-wordpress-rest-api-plugin-0-0-15-privilege-escalation-due-to-weak-pin-generation-vulnerability?_s_id=cve
