CVE-2023-6279
📋 TL;DR
The Woostify Sites Library WordPress plugin before version 1.4.8 lacks proper authorization checks in an AJAX endpoint, allowing any authenticated user (even subscribers) to modify arbitrary blog options. This can lead to denial of service (DoS) by setting specific options to 'activated'. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Woostify Sites Library WordPress plugin
📦 What is this software?
Sites Library by Woostify
⚠️ Risk & Real-World Impact
Worst Case
An attacker with subscriber access could modify critical WordPress settings, potentially causing site-wide DoS, disrupting functionality, or enabling further privilege escalation.
Likely Case
Authenticated low-privilege users could disrupt site operations by toggling options that trigger resource exhaustion or configuration errors.
If Mitigated
With proper access controls and updated plugins, the vulnerability is eliminated, preventing unauthorized option modifications.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via crafted AJAX requests. Public proof-of-concept details are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.8
Vendor Advisory: https://wpscan.com/vulnerability/626bbc7d-0d0f-4418-ac61-666278a1cbdb/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Woostify Sites Library' and update to version 1.4.8 or later. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Disable the plugin
allTemporarily deactivate the Woostify Sites Library plugin to prevent exploitation until patching is possible.
wp plugin deactivate woostify-sites-library
Restrict user registration
allLimit new user registrations to reduce the attack surface from low-privileged accounts.
🧯 If You Can't Patch
- Disable the Woostify Sites Library plugin immediately.
- Implement network-level controls to block suspicious AJAX requests targeting the vulnerable endpoint.
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in WordPress admin under Plugins > Installed Plugins. If version is below 1.4.8, it is vulnerable.Check Version:
wp plugin get woostify-sites-library --field=versionVerify Fix Applied:
Confirm the plugin version is 1.4.8 or higher after update. Test authenticated AJAX requests to the endpoint to ensure they now require proper authorization.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action parameter related to Woostify plugin from low-privilege user accounts.
- Log entries showing option modifications by non-admin users.
Network Indicators:
- HTTP POST requests to admin-ajax.php with parameters like 'action=woostify_sites_library_activate_license' from unauthorized IPs or user roles.
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND http_method="POST" AND user_role="subscriber" AND params.action CONTAINS "woostify")