CVE-2023-6966
📋 TL;DR
The Moneytizer WordPress plugin has a missing capability check vulnerability that allows authenticated users with subscriber-level access or higher to perform unauthorized actions. Attackers can access, modify, and delete sensitive data including billing/bank details and plugin settings. All WordPress sites using this plugin up to version 9.5.20 are affected.
💻 Affected Systems
- The Moneytizer WordPress Plugin
📦 What is this software?
The Moneytizer by Themoneytizer
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal sensitive financial information, modify payment settings to redirect funds, reset the plugin to disrupt ad revenue, and potentially escalate privileges to compromise the entire WordPress installation.
Likely Case
Authenticated attackers with subscriber access will access and modify billing information, change plugin settings to disrupt ad operations, and potentially exfiltrate sensitive financial data.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized configuration changes that can be detected and reverted before significant damage occurs.
🎯 Exploit Status
Exploitation requires authenticated access but only at subscriber level, which is commonly available. The vulnerability is in AJAX endpoints that lack proper authorization checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.5.21 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/the-moneytizer/trunk/core/core_ajax.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find The Moneytizer plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 9.5.21+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoints
allTemporarily block access to the vulnerable core_ajax.php file via web server configuration
# For Apache: add to .htaccess
<Files "core_ajax.php">
Order Allow,Deny
Deny from all
</Files>
# For Nginx: add to server block
location ~ /core/core_ajax\.php$ {
deny all;
return 403;
}
Restrict user registration
allDisable new user registration to prevent attackers from obtaining subscriber accounts
# In WordPress wp-config.php
# Add: define('WP_ALLOW_REGISTRATION', false);
# Or in WordPress admin: Settings → General → uncheck 'Anyone can register'
🧯 If You Can't Patch
- Immediately disable The Moneytizer plugin via WordPress admin or by renaming its directory
- Implement strict network access controls to limit which IPs can access WordPress admin and AJAX endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → The Moneytizer → Version. If version is 9.5.20 or lower, you are vulnerable.Check Version:
# In WordPress root directory
grep -r "Version:" wp-content/plugins/the-moneytizer/*.php | head -1Verify Fix Applied:
After updating, verify version shows 9.5.21 or higher in WordPress plugins list. Test that only administrators can modify plugin settings.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with 'action' parameters related to The Moneytizer
- Multiple failed login attempts followed by successful subscriber login and AJAX requests
- User with subscriber role modifying plugin settings or accessing billing functions
Network Indicators:
- HTTP POST requests to admin-ajax.php with 'moneytizer_' action parameters from non-admin users
- Unusual traffic patterns to AJAX endpoints from newly created user accounts
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data CONTAINS "moneytizer_") AND user_role!="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/the-moneytizer/trunk/core/core_ajax.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/71823e36-3899-4253-a1d2-c6f8921d18dc?source=cve
- https://plugins.trac.wordpress.org/browser/the-moneytizer/trunk/core/core_ajax.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/71823e36-3899-4253-a1d2-c6f8921d18dc?source=cve
