CVE-2023-0876
published 2023-03-20CVE-2023-0876: The WP Meta SEO WordPress plugin before 4.5.3 does not authorize several ajax actions, allowing low-privilege users to make updates to certain data and leading…
PriorityP279medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.71%
49.0th percentile
The WP Meta SEO WordPress plugin before 4.5.3 does not authorize several ajax actions, allowing low-privilege users to make updates to certain data and leading to an arbitrary redirect vulnerability.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomunited | wp_meta_seo | < 4.5.3 | 4.5.3 |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=wpms&wpms_nonce={{wpms_nonce}}&task=update_link_redirect&link_id={{link_id}}&link_redirect={{redirect_url}}↗
- →Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the AJAX action 'wpms' and task 'update_link_redirect', which indicates an unauthorized redirect update attempt. ↗
- →Monitor for HTTP 302 responses from WordPress pages (e.g., /?p=<id>) with a Location header pointing to an unexpected external domain, indicating a successful arbitrary redirect exploitation. ↗
- →Fingerprint vulnerable installations by checking for the presence of /wp-content/plugins/wp-meta-seo/readme.txt and confirming plugin version <= 4.5.2 via the 'Stable tag' field. ↗
- →The plugin automatically creates entries in the wp_wpms_links table for 404 pages; monitor for unexpected rows in this table with attacker-controlled redirect URLs. ↗
- →Look for the nonce token 'wpms_nonce' being extracted from /wp-admin/ page body by low-privilege authenticated users, as a precursor step to the AJAX exploitation chain. ↗
- ·Exploitation requires an authenticated low-privilege WordPress user account; the attack chain involves login, nonce extraction from /wp-admin/, and then the unauthorized AJAX call. ↗
- ·The exploit flow requires a valid link_id from the wp_wpms_links table (auto-populated for 404 pages); without a pre-existing 404 entry, the redirect update may not succeed. ↗
- ·The Nuclei template uses a flow condition 'http(1) || http(2) && http(3) && http(4) && http(5) && http(6)', meaning version check (http1) or a 404 probe (http2) is sufficient to proceed; detection logic should account for both paths. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hjvp-3h96-35mg: The WP Meta SEO WordPress plugin before 4
ghsa_unreviewed·2023-03-20
CVE-2023-0876 [MEDIUM] CWE-601 GHSA-hjvp-3h96-35mg: The WP Meta SEO WordPress plugin before 4
The WP Meta SEO WordPress plugin before 4.5.3 does not authorize several ajax actions, allowing low-privilege users to make updates to certain data and leading to an arbitrary redirect vulnerability.
VulnCheck
WP Meta SEO WordPress plugin AJAX actions Vulnerability
vulncheck·2023·CVSS 6.1
CVE-2023-0876 [MEDIUM] WP Meta SEO WordPress plugin AJAX actions Vulnerability
WP Meta SEO WordPress plugin AJAX actions Vulnerability
The WP Meta SEO WordPress plugin before 4.5.3 does not authorize several ajax actions, allowing low-privilege users to make updates to certain data and leading to an arbitrary redirect vulnerability.
Affected: joomunited wp_meta_seo
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-meta-seo/wp-meta-seo-452-missing-authorization-in-startprocess
No detection rules found.
Nuclei
WordPress Meta SEO <= 4.5.2 - Open Redirect
nuclei·CVSS 6.1
CVE-2023-0876 [MEDIUM] WordPress Meta SEO <= 4.5.2 - Open Redirect
WordPress Meta SEO <= 4.5.2 - Open Redirect
The WP Meta SEO WordPress plugin before 4.5.3 did not authorize several AJAX actions, which allowed low-privilege users to update certain data and resulted in an arbitrary redirect vulnerability.
Template:
id: CVE-2023-0876
info:
name: WordPress Meta SEO <= 4.5.2 - Open Redirect
author: Khalid6468
severity: medium
description: |
The WP Meta SEO WordPress plugin before 4.5.3 did not authorize several AJAX actions, which allowed low-privilege users to update certain data and resulted in an arbitrary redirect vulnerability.
impact: |
Authenticated attackers with low privileges can exploit unauthorized AJAX actions to update link redirects and create arbitrary redirect vulnerabilities that could be used for phishing attacks.
remediation: |
Update
2023-03-20
Published
Exploited in the wild