WordPress Plugin Vulnerability Report: Starter Templates – Incorrect Authorization – CVE-2023-41805
Plugin Name: Starter Templates
Key Information:
- Software Type: Plugin
- Software Slug: astra-sites
- Software Status: Active
- Software Author: brainstormforce
- Software Downloads: 38,934,354
- Active Installs: 1,000,000
- Last Updated: September 8, 2023
- Patched Versions: 3.2.6
- Affected Versions: <=3.2.5
Vulnerability Details:
- Name: Starter Templates <= 3.2.5 - Incorrect Authorization
- Type: Missing Authorization
- CVE: CVE-2023-41805
- CVSS Score: 4.3 (Medium)
- Publicly Published: September 5, 2023
- Researcher: Rafie Muhammad - Patchstack
- Description: The Starter Templates (free and premium) plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect capability check on the sse_import() function in versions up to, and including, 3.2.5.
Summary:
The Starter Templates plugin for WordPress has a vulnerability in versions up to and including 3.2.5 that allows for unauthorized modification of data. This vulnerability has been patched in version 3.2.6.
Detailed Overview:
The vulnerability was discovered by Rafie Muhammad from Patchstack. The security issue lies in an incorrect capability check on the sse_import() function of the plugin, specifically affecting versions 3.2.5 and earlier. This incorrect authorization allows authenticated attackers with contributor-level access or higher to import plugin/template data, potentially leading to unauthorized modifications on a WordPress site.
The CVSS score of 4.3 indicates a medium level of risk associated with this vulnerability. Therefore, while it may not be as critical as other vulnerabilities, it is still something that users should address promptly.
Advice for Users:
Immediate Action: Users are strongly encouraged to update to the patched version 3.2.6 immediately.
Check for Signs of Vulnerability: Examine plugin and template settings for unauthorized changes, and scan log files for suspicious activity related to the Starter Templates plugin.
Alternate Plugins: While a patch is available, users might consider plugins that offer similar functionality as a precaution.
Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.
Conclusion:
The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 3.2.6 or later to secure their WordPress installations.
References:
- Wordfence Threat Intel - Starter Templates <= 3.2.5 - Incorrect Authorization
- Wordfence Threat Intel - Vulnerabilities in WordPress Plugins
Detailed Report
Keeping your WordPress site updated is one of the most important things you can do to maintain security. Unfortunately, too many users fail to promptly install updates, leaving their sites exposed to known vulnerabilities. This was recently highlighted by the disclosure of a vulnerability in a popular WordPress plugin, Starter Templates.
Starter Templates is a plugin with over 38 million downloads that allows you to easily import starter templates and themes into your WordPress site. It currently powers over 1 million active installs. On September 5th, 2023, security researcher Rafie Muhammad publicly disclosed a vulnerability affecting versions up to and including 3.2.5.
The vulnerability, tracked as CVE-2023-41805, allows authenticated users with only contributor access to improperly import plugin and template data. This could lead to unauthorized modifications to a WordPress site. The vulnerability received a CVSS severity score of 4.3 out of 10 from Patchstack, meaning it poses a medium level of risk.
If exploited, this vulnerability could be used by contributors to make changes they are not authorized to make. At best, this could lead to corruption of your site's templates and styles. At worst, it could be exploited to insert malicious code or backdoors into your WordPress installation.
To protect your site, it is highly recommended that you update to the latest patched version of Starter Templates (3.2.6) immediately. You should also review your plugin and template settings for any unauthorized changes, and check your server logs for suspicious activity.
This is not the first vulnerability found in Starter Templates. In 2021 and 2023, previous security issues were discovered that could have allowed cross-site scripting and cross-site request forgery attacks. This underscores the importance of promptly updating WordPress, themes, and plugins whenever new versions are released.
As a busy small business owner, staying on top of vulnerabilities like this may feel daunting. But ignoring security updates can have serious consequences. Consider automating the process of updating WordPress and plugins to remove the burden of constant monitoring. There are also managed website security services that can alert you to vulnerabilities and ensure your site stays updated.
Keeping your website secure takes vigilance, but is well worth the effort. Don't let your hard work go to waste by leaving your site open to compromise. Take action today to lock down vulnerabilities and protect your online presence.
As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.
Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.