CVE-2023-4243
📋 TL;DR
The FULL - Customer WordPress plugin up to version 2.2.3 contains an arbitrary file upload vulnerability via the /install-plugin REST route due to improper authorization. This allows authenticated attackers with subscriber-level permissions or higher to install plugins from arbitrary remote locations, potentially leading to remote code execution. WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- FULL - Customer WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise through remote code execution, data theft, defacement, or malware distribution.
Likely Case
Unauthorized plugin installation leading to backdoor persistence, data exfiltration, or site takeover.
If Mitigated
Limited impact if proper access controls and monitoring are in place, but still represents significant risk.
🎯 Exploit Status
Exploitation requires authenticated access but only subscriber-level permissions. Public references demonstrate the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.4 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/full-customer/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Locate 'FULL - Customer' plugin. 4. Click 'Update Now' if available, or manually update to version 2.2.4+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable REST endpoint
allRemove or restrict access to the /install-plugin REST route
Add to theme's functions.php or custom plugin: remove_action('rest_api_init', 'full_customer_register_rest_routes');
Restrict user permissions
allTemporarily limit subscriber-level users from accessing plugin functionality
Use WordPress role management plugins to restrict capabilities
🧯 If You Can't Patch
- Immediately disable the FULL - Customer plugin
- Implement strict access controls and monitor for suspicious plugin installation activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for FULL - Customer version 2.2.3 or earlierCheck Version:
wp plugin list --name='FULL - Customer' --field=versionVerify Fix Applied:
Confirm FULL - Customer plugin version is 2.2.4 or later in WordPress admin📡 Detection & Monitoring
Log Indicators:
- REST API calls to /install-plugin endpoint
- Unexpected plugin installations
- File uploads to wp-content/plugins/
Network Indicators:
- HTTP POST requests to /wp-json/full-customer/v1/install-plugin
- External downloads to plugin directories
SIEM Query:
source="wordpress" AND (uri_path="/wp-json/full-customer/v1/install-plugin" OR event="plugin_installed")🔗 References
- https://plugins.trac.wordpress.org/browser/full-customer/tags/1.1.0/app/api/Plugin.php
- https://plugins.trac.wordpress.org/browser/full-customer/tags/2.2.1/app/api/PluginInstallation.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9799df3f-e34e-42a7-8a72-fa57682f7014?source=cve
- https://plugins.trac.wordpress.org/browser/full-customer/tags/1.1.0/app/api/Plugin.php
- https://plugins.trac.wordpress.org/browser/full-customer/tags/2.2.1/app/api/PluginInstallation.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9799df3f-e34e-42a7-8a72-fa57682f7014?source=cve
