This week, let’s dive into broken access control vulnerabilities. It’s probably one of the most self-explanatory vulnerability types, as it arises from—you guessed it—broken access control. More specifically, these vulnerabilities occur when a system fails to properly verify user authorization and/or authentication.
Broken access control is a common security issue, accounting for 12.9% of all security vulnerabilities in the WordPress ecosystem in 2023.
What causes a broken access control (BAC) vulnerability?
Since broken access control vulnerabilities stem from flawed authorization checks or broken authentication, let’s first clarify the difference between authorization and authentication.
Authentication occurs when users verify their identity so the system knows who they are. Authorization, on the other hand, is about checking what the authenticated users are allowed to do. A failed authentication example is when a vulnerability allows unauthenticated users to access functions meant only for logged-in users. A failed authorization example is when any registered user on a website gains access to functions that should only be available to admins.
Another classic example involves the often misunderstood is_admin() function. While it sounds like it checks whether a user is an admin, it actually just checks whether the URI includes /wp-admin/. Using is_admin() for authorization checks is a common cause of BAC vulnerabilities in many plugins.
WordPress provides various hooks for plugin functionality, such as wp_ajax_*, admin_action_*, admin_post_*, admin_init, and register_rest_route. However, these hooks do not automatically check user authorization and authentication, so it’s crucial for plugin developers to implement these checks correctly.
What can happen if your WordPress website has an BAC vulnerability?
Broken access control vulnerabilities are often among the most dangerous. They are frequently exploited to alter website settings (known as option change vulnerabilities) and can allow hackers to gain admin privileges, leading to a full site takeover.
Once hackers take control of a website, they can install backdoors and integrate it into a botnet (a network of compromised sites). From there, the site can be used to spread malware, send spam, host phishing or scam pages, and even launch automated attacks on other websites.
A recent BAC vulnerability that was widely exploited was found in the InstaWP plugin, which lacked proper authorization. This allowed unauthenticated attackers to connect a site to the InstaWP API, modify site settings, and even create administrator accounts.
What can WordPress developers do to avoid BAC vulnerabilities?
WordPress provides all the necessary tools to prevent broken access control vulnerabilities. Functions like current_user_can and user_can are easy to implement and ensure that unauthorized users cannot perform actions reserved for higher-privileged accounts.
Website owners should also stay vigilant for security updates from plugin developers, as this type of vulnerability is easy to exploit and can become a widespread issue in a short time. Employing hardening techniques—such as preventing privilege escalation, blocking the registration of unauthorized admin accounts, and restricting arbitrary option changes—can help mitigate attacks.
Ultimately, the faster vulnerabilities are mitigated, either through virtual patching or by updating to a fixed version, the better your chances of avoiding a hacked website.
Join the Conversation!
There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!
Group Thread
Oliver Sild
Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.
