Vulnerability Patched in Sassy Social Share Plugin

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.

In 2010, Steffan Esser gave a presentation in Las Vegas that rocked the PHP world. He had discovered a new kind of vulnerability that today we call a “PHP Object Injection” vulnerability. This kind of vulnerability allows an attacker to send a PHP application some data that is turned into an object that lives in memory. If the application then assumes that object and its data is secure, and does things with that object, it could lead to a compromised website.

In technical terms, the way an object injection vulnerability works is as follows. A developer writes code that uses the unserialize() function. This function is a way to take an object that has been stored somewhere, and turn it from it’s stored form, which looks like text, back into an object that lives in memory. Developers do this when using object oriented programming in PHP. Objects are just data structures that logically represent things within the application. The serialize() and unserialize() functions are ways to store and retrieve objects. While serialize() turns an object into text, ready for storage, unserialize() takes the text and turns it back into an object that you can use in the application.

What Steffan discovered is that many developers were assuming that their objects, once unserialized in memory, were safe. And if he could send malicious data to the unserialize function, that is later used by the application and assumed to be safe, he could gain remote code execution on a website or in any PHP application. He had discovered a whole new way to hack into many websites across the globe.

Today we are disclosing an object injection vulnerability in a popular WordPress plugin. This vulnerability allows an attacker to submit data that is unserialized by PHP, and could contain malicious data. This malicious data is used by code in the application that trusts that the data is safe, creating a vulnerability that allows an attacker to take over a WordPress website.

PHP Object Injection Vulnerability in Sassy Social Share

On August 31, 2021 the Wordfence Threat Intelligence team discovered a vulnerability in “Sassy Social Share”, a WordPress plugin installed on over 100,000 sites. The vulnerability provided a way for subscriber level users to gain remote code execution and take over a vulnerable site. Sites that have open registration allow anyone to create a “subscriber” level account, and are particularly vulnerable to this vulnerability.

Wordfence Premium users received a firewall rule to protect against exploits targeting this vulnerability on August 31, 2021. Sites still using the free version of Wordfence received the same protection on September 30, 2021.

In this case, the flaw made it possible for an attacker to import plugin settings and potentially inject PHP Objects that could be used as part of a POP Chain – a code execution sequence in the application that is exploited by the attacker.

On August 31, 2021, we initiated the responsible disclosure process. The vendor responded the next day, on September 1, 2021 after which we sent over the full disclosure details.

After working with the developer over a couple of weeks, a patch was released on September 17, 2021 in version 3.3.24. As per our responsible disclosure policy, we are now disclosing the vulnerability details because the plugin has been fully patched for some time.

If you have not already done so, we strongly recommend updating to the latest patched version of Sassy Social Share, which is version 3.3.25 at the time of this publication, as soon as possible, especially if you are running the vulnerable version of the plugin, which is version 3.3.23.

Description: Missing Authorization Controls to PHP Object Injection
Affected Plugin: Sassy Social Share
Plugin Slug: sassy-social-share
Plugin Vendor: Team Heateor
Affected Versions: 3.3.23
CVE ID: CVE-2021-39321
CVSS Score: 6.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Researcher/s: Chloe Chamberland

Sassy Social Share is an easy to use plugin designed to enhance a site’s social media presence. One of the plugin’s recent updates introduced the ability to import and export the settings for the plugin. Unfortunately, this was insecurely implemented making it possible for authenticated users to import the plugin’s settings along with arbitrarily injecting PHP objects.

In order to provide this functionality the plugin registered the wp_ajax_heateor_sss_import_config AJAX action which is hooked to the import_config function. Unfortunately, this function had no capability checks, nor any nonce protection which meant that any authenticated user could trigger the AJAX action.

In this vulnerability’s simplest form it could be used to import and override the plugin’s settings, however, it didn’t stop there. Due to the fact that the plugin used the unserialize function on the user-supplied contents of the config parameter for the import, an attacker could craft a special payload that could call other PHP classes and potentially perform other actions if a vulnerable magic method was present in another piece of software installed on the same site. This is referred to as PHP Object Injection, and we have detailed this type of vulnerability more extensively in the past.

	public function import_config() {
		
		if ( isset( $_POST['config'] ) && strlen( trim( $_POST['config'] ) ) > 0 ) {
			$config = maybe_unserialize( base64_decode( trim( $_POST['config'] ) ) );
			if ( is_array( $config ) && count( $config ) > 0 ) {
				update_option( 'heateor_sss', $config );
				header( 'Content-Type: application/json' );
				die( json_encode(
					array(
						'success' => 1
					)
				) );
			}
		}
		die;

If another plugin or theme with a vulnerable magic method was installed on the same site with a vulnerable version of the Sassy Social Share plugin, then an attacker could potentially have the ability to create new files, delete existing files, execute remote commands, and more. This would make it possible for an attacker to take over a vulnerable WordPress site.

Disclosure Timeline

August 31, 2021 – Conclusion of the plugin analysis that led to the discovery of a vulnerability in the Sassy Social Share WordPress plugin. We develop a firewall rule to protect Wordfence customers and release it to Wordfence Premium users.
September 1, 2021 – The vendor confirms the inbox for handling the discussion.
September 2, 2021 – We send over full disclosure details. The vendor responds confirming they will begin working on a fix.
September 2-17, 2021 – We work closely with the vendor to ensure an optimal security patch is released by verifying the implemented fixes before they are released to customers.
September 17, 2021 – The patched version is released as 3.3.24.
September 30, 2021 – Wordfence free users receive the firewall rule.

Conclusion

In today’s post, we described a flaw in the Sassy Social Share WordPress plugin that grants attackers the ability to update the plugin’s settings and inject PHP Objects. This flaw has been fully patched in version 3.3.24 of Sassy Social Share. We recommend that WordPress users immediately update to the latest version available, which is version 3.3.25 at the time of this publication.

Please do let others in the WordPress community know about this issue to help them stay safe.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on August 31, 2021. Sites still using the free version received the same protection on September 30, 2021.

If your site has been compromised as a result of this or any other vulnerability, we offer Professional Site Cleaning services to help undo the damage. If you know a friend or colleague who is using this plugin on their site, please forward this advisory to them to help keep their sites protected as these vulnerabilities can lead to complete site takeover.

The post Vulnerability Patched in Sassy Social Share Plugin appeared first on Wordfence.

It’s Not You. It’s Them. On Hacking and Responsible Disclosure.

A story was recently posted to Hacker News celebrating a hack of IoT devices at a school that let a student and their friends rickroll the school via a video system. On the one hand, this guy is my personal hero and I want to be them. But I’m a cybersecurity professional, I run a team that has the ability to hack into any system they take an interest in, and I’ve studied cybersecurity ethics and am familiar with the consequences of hacking in 2021. I’m also aware of the fallibility of humans. So I was obliged to reply on HN.

The short version is this: In the United States, hacking crimes are governed by the CFAA – the Computer Fraud and Abuse Act. The criminal penalties are extremely harsh, and many cybercrimes are handled in federal court. If you do access a computer system without authorization, or exceed the authorization you have been given – which are both criminal offenses under CFAA – you’ve given yourself a pretty good shot at ruining your life. Being charged with a crime and having to deal with court dates is stressful enough. Even if you’re lucky to get probation, you still have a criminal record which severely limits your job opportunities and travel options.

Responsible disclosure is challenging enough. But actually hacking systems – even if you think you’re being playful – can lead to disaster. As I said in my comment: “Overzealous prosecutors have been given a huge amount of power, and all you need is one embarrassed systems administrator, school board, or management team to trigger a disastrous outcome in stories like this.

For the most part, my comment on HN was upvoted and supported in the replies. But I did get a certain amount of pushback. And wouldn’t you know it, in the news this morning is a fine example of the kind of idiocy out there that demonstrates why researchers and explorers need to be very careful to avoid violating the CFAA.

A journalist at the St Louis Post Dispatch discovered a data disclosure issue with a website that allowed the public to look up teacher credentials. Encoded in the HTML source code of the site were the social security numbers of teachers, counselors, and administrators. It’s worth noting that the data was encoded, not encrypted, which means it was easily readable by any attacker or software developer.

The St Louis Post Dispatch and their journalist did exactly the right thing: They confidentially disclosed the issue to the website operator. The website operator fixed the problem. And then St Louis Post Dispatch disclosed the details in an article, which is exactly how the cybersecurity industry works. That final disclosure step is so that the public has full transparency on the issue – in other words, teachers should know that their socials were exposed. And so that other researchers, vendors, and operations staff can learn from this mistake.

What should have happened at this point? Nothing. Because absolutely nothing was awry. The discovery helped secure a system. The journalist never breached any cybersecurity ethical boundaries. The school system has a more secure website. Apparently, that wasn’t enough for Missouri Governor Mike Parson who has announced that the Cole County Prosecutor and the Missouri Highway Patrol [I’m not joking] will investigate the matter.

And the governor is rolling out the red carpet. Extracts from his statement: “We are coordinating state resources to respond and utilize all legal methods available. My administration has notified the Cole County prosecutor of this matter. The Missouri State Highway Patrol’s digital forensic unit will also be conducting an investigation of all of those involved. We will not let this crime against Missouri teachers go unpunished. And we refuse to let them be a pawn in the news outlet’s political vendetta. Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them. This incident alone may cost Missouri taxpayers as much as $50 million and divert workers and resources from other state agencies.

All because a journalist spotted that social security numbers were easily accessible in HTML source code, responsibly disclosed the issue, and helped secure the school system, exactly the way every ethical and responsible cybersecurity organization on this planet operates.

Let’s revisit the school hacking story I started with. What you have here is exactly what I warned folks about just days ago. An embarrassed governor and embarrassed school administrators are framing this as a malicious act to try to protect their reputations. And they have the full force of the CFAA to back them up. They’re most likely going to try to frame reading HTML source code as accessing a system beyond the authorization given, which is a crime under the CFAA.

So if you are a cybersecurity researcher or simply curious and love exploring our global Internet, please be careful. Read the Wikipedia entry for the CFAA so that you understand it. The Responsible Disclosure article on Wikipedia is also a great start. Every major cybersecurity certification also contains a section on ethics, so consider gaining a Security+, CEH, CISSP, or similar. After working in ops and development for over 20 years, I became a CISSP and even with my experience and knowledge, I found that I have benefited greatly from the certification.

Understand that responsible disclosure is still very much an industry insider concept. People who operate systems and their employers are often unsophisticated and uneducated in the field of cybersecurity – and they are human and are easily embarrassed. It’s very tempting for them to shoot the messenger, even when the messenger delivers the bad news within a globally accepted framework.

And when it comes to hacking your school network or other systems that you don’t have the authorization to hack? Don’t do it. We aren’t living in the 80s or early 90s anymore, where hackers are seen as adorable Matthew Broderick characters from the movie Wargames. When Kevin Mitnick was hunted down by Janet Reno for over 2 years, under the Clinton Administration in 1995, and eventually arrested, the game changed. Hackers were rebranded as evil, malicious, dangerous, and bound for prison, and Kevin was sentenced to 5 years. In South Africa where I was “exploring”, my friends started getting raided, one was arrested, and I was fortunate enough to only get a nasty letter. Childhood’s end had arrived for cybersecurity.

If you’re a researcher, take care, even when disclosing responsibly. If you think you’re being playful by accessing systems you’re not allowed to, or exceeding the access you’ve been given, stop. Back away from the keyboard. And sign up for a cybersecurity certification that will give you opportunities to do the kind of exploring you want to do, legally, and will teach you about the ethical frameworks that our industry has. And give your adventurous friends and family the same advice.

It’s not you. It’s them.

Mark Maunder – Defiant Inc Founder & CEO. (We make Wordfence)

The post It’s Not You. It’s Them. On Hacking and Responsible Disclosure. appeared first on Wordfence.

Multiple Vulnerabilities in Brizy Page Builder Plugin Allow Site Takeover

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.

On August 19, 2021, the Wordfence Threat Intelligence team initiated the Responsible Disclosure process for Brizy – Page Builder, a WordPress plugin installed on over 90,000 sites.

During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack. This led us to discover two new vulnerabilities as well as a previously patched access control vulnerability in the plugin that had been reintroduced.

Both new vulnerabilities could take advantage of the access control vulnerability to allow complete site takeover, including a combination that allowed any logged-in user to modify any published post and add malicious JavaScript to it, as well as a separate flaw that allowed any logged-in user to upload potentially executable files and achieve remote code execution.

We received a response to our initial disclosure and sent over the full disclosure the same day, on August 19, 2021. A patched version of the Brizy – Page Builder plugin, 2.3.12, was released on August 24, 2021. As per our responsible disclosure policy, we are now disclosing the vulnerability details as the plugin has been fully patched for some time.

All Wordfence users, including Wordfence Premium users as well as those using the free version, are protected by a combination of our built-in firewall rules and an existing firewall rule released in June of 2020, which covered a similar vulnerability in a previous version of Brizy – Page Builder.

The original vulnerability was patched in version 1.0.126, but an almost identical vulnerability was reintroduced in version 1.0.127.

We strongly recommend updating to the latest version available, 2.3.17, as soon as possible, especially if you are not running Wordfence.


Description: Incorrect authorization checks allowing Post modification
Affected Plugin: Brizy – Page Builder
Plugin Slug: brizy
Plugin Developer: Brizy.io
Affected Versions: <= 1.0.125 and 1.0.127 – 2.3.11
CVE ID: CVE-2021-38345
CVSS Score: 7.1(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Researcher/s: Ramuel Gall
Fully Patched Version: 2.3.12

The Brizy – Page Builder plugin used the Brizy_Editor::is_administrator and Brizy_Editor_User:is_administrator functions for a wide variety of authorization checks, and any user that passed one of these checks was assumed to be an administrator, effectively bypassing almost all of the other capability checks used in the plugin. Unfortunately, due to a logic flaw, being logged in and accessing any endpoint in the wp-admin directory was sufficient to pass this check due to the use of the is_admin() function for authorization checking.

	public static function is_administrator() {

		if ( ! is_user_logged_in() ) {
			return false;
		}

		return is_admin() || is_super_admin();
	}

This meant that all logged-in users, even subscribers, were allowed to modify any post or page that had been created or edited with the Brizy editor, even if it had already been published. This logic flaw was identical to the one patched in version 1.0.126 and was reintroduced in version 1.0.127, though only Brizy_Editor::is_administrator existed in versions prior to 1.0.127.

While this vulnerability might only be a nuisance on its own, allowing attackers to replace the original contents of pages, it enabled two additional vulnerabilities that could each be used to take over a site.


Description: Authenticated Stored Cross-Site Scripting
Affected Plugin: Brizy – Page Builder
Plugin Slug: brizy
Plugin Developer: Brizy.io
Affected Versions: <= 2.3.11
CVE ID: CVE-2021-38344
CVSS Score: 6.4(Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 2.3.12

While the Brizy – Page Builder plugin does not offer a direct way for lower-privileged users such as contributors to add JavaScript to page content, it was possible for a lower-privileged user to modify a request sent to update a page via the brizy_update_item AJAX action by adding JavaScript to the data parameter. The added JavaScript would then be be executed if the post was viewed or previewed by another user, such as an administrator.

Thanks to the authorization check vulnerability, even the lowest-privileged users, such as subscribers, could add malicious JavaScript to any page, allowing them to take over a site. JavaScript running in an administrator’s session could allow an attacker to perform actions such as adding a new administrative user, escalating the privileges of an existing user, or adding backdoor functionality to existing plugin or theme files.

While exploiting this as a subscriber-level user did require submitting a request containing valid hash and editor-version parameters, these are echoed out on dashboard pages accessible to subscribers. The only parameter an attacker would need to guess when modifying a page was the dataVersion parameter, an incrementing integer starting at 1 which could easily be guessed in seconds with a few repeated requests.


Description: Authenticated File Upload and Path Traversal
Affected Plugin: Brizy – Page Builder
Plugin Slug: brizy
Plugin Developer: Brizy.io
Affected Versions: <= 2.3.11
CVE ID: CVE-2021-38346
CVSS Score: 8.8(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Ramuel Gall
Fully Patched Version: 2.3.12

Thanks to the authorization check vulnerability, it was also possible for subscriber-level users to upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action.

A malicious user could provide a filename of their choice using the id parameter, and populate the file contents via the ibsf parameter, which would be base64-decoded and written to the file.

While the plugin appended .jpg to all uploaded filenames, a double extension attack was also possible. For instance, a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations, including Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to perform a directory traversal attack and place their file in an arbitrary location, which could potentially be used to circumvent execution restrictions added via .htaccess.

By supplying a file with a .php extension in the id parameter, and base64-encoded PHP code in the ibsf parameter, an attacker could effectively upload an executable PHP file and obtain full remote code execution on a site, allowing site takeover.

Timeline

June 11, 2020 – We become aware of a vulnerability in the Brizy – Page Builder and release a firewall rule to Wordfence Premium users.
July 11, 2020 – The firewall rule becomes available to all Wordfence users.


 

August 19, 2021 – Wordfence Threat Intelligence finishes an investigation of the Brizy – Page Builder plugin prompted by our review of traffic to the firewall rule. We initiate the disclosure process, receive a response from the plugin developer, and send over full disclosure.
August 25, 2021 – A patched version, 2.3.12, is released.

Conclusion

In today’s article, we discussed three vulnerabilities in the Brizy – Page Builder plugin, including an access control vulnerability that enabled a stored XSS vulnerability and an arbitrary file upload vulnerability, either of which could be used to take over a site.

All Wordfence users, including Wordfence Premium users as well as those still using the free version of Wordfence, have been protected against these vulnerabilities since 2020. Nonetheless, we strongly recommend updating to the latest version of Brizy available, 2.3.17, especially if you do not use the Wordfence plugin.

If your site has been compromised as a result of this or any other vulnerability, we offer Professional Site Cleaning services to help undo the damage. If you know a friend or colleague who is using this plugin on their site, please forward this advisory to them to help keep their sites protected as these vulnerabilities can lead to complete site takeover.

The post Multiple Vulnerabilities in Brizy Page Builder Plugin Allow Site Takeover appeared first on Wordfence.

Wordfence Helps Enable Education in Uganda

I want to share something very exciting and truly wonderful with you all today. Wordfence just completed a project where we partnered with Far Away Friends, a Denver-based non-profit working in partnership with local leaders in Uganda, to bring light and electricity to a school campus in a remote area of Uganda called Namasale. 

I’d like you to watch the video below, because it gives you a real sense of the transformation that has happened in Namasale thanks to this project and thanks to your help. Then scroll down for the full story. 

As you already know, our business is security. Wordfence, allows you to run your business on WordPress, with the knowledge that your customers and your investment are safe and secure.

We believe that security extends beyond the internet. No matter where you are, everyone has the right to feel secure, and to be secure. We believe that access to education is the most fundamental way to enable security for individuals, families, and communities. 

When we learned about Far Away Friends, whose mission is to improve the lives of children in rural Uganda by providing access to education, we knew we wanted to get involved. Given that our expertise is in cybersecurity, and not in education in developing countries, we knew that our first step would be to listen and to learn. 

Far Away Friends was established to aid the children of Uganda, whose history is that of decades-long civil war, combined with an HIV crisis. We feel that the mission of Far Away Friends, to educate Ugandan children in partnership with local leaders, is one that is extremely impactful and important. 

Far Away Friends is based in the Amolatar District, which is one of the most geographically isolated regions of Uganda, until a ferry was built in 2013. Because of its rural location, children in this region have been historically deprived of access to quality education. In 2016, Far Away Friends opened Global Leaders Primary (GLP) in Namasale, a town in Amolatar district, to provide primary education to children in the area. 

Since 2018, 100% of the students at GLP have graduated and passed their Primary Leaving Exams in the top two highest divisions. GLP has graduated 90 students, has 250 current students, and already expects 600 new students over the next few years.

Far Away Friends has achieved much with limited resources, and we wanted to know how we could help. The founders, Jayme and Collines, explained to us that GLP only had two classrooms with access to electricity, and the access they had was limited. We considered how much more they could achieve with access to electricity for classrooms, dormitories, a computer lab and a clinic.

We decided to dedicate ourselves to providing GLP with fully functioning and sustainable electricity throughout the school. With Wordfence investing in a solar installation at GLP, it would significantly accelerate the positive change that Far Away Friends is creating. 

It was important to us that we contribute to the local Ugandan economy by hiring local suppliers. We evaluated several suppliers and selected GreenMax, an electrical contractor based in Lira, Uganda. 

GreenMax made several trips to and from Namasale to quote the project scope and to ensure the required materials were on-site. After weeks of work, Greenmax installed 5 solar systems in Ingrid Hall (girls’ dormitory), Dylan Hall (boys’ dormitory), the classrooms and computer lab block, the clinic and office block, and the teachers’ quarters.

After the work was done, TechNugget, a Solar Systems Monitoring & Evaluation company, came to review the work and provided us with a stellar report, confirming that GreenMax had done a great job. 

With these added solar systems, children are now able to get ready for school in well-lit dormitories, walk to school on a safe and well-lit path thanks to the security lights, and be educated in a classroom with bright lights and electrical outlets for equipment like computers. The teachers are also now able to expand their lesson plans with the use of computers and lights, no matter what time of the day school is in session.

If you’re interested in seeing the work done, please watch the video above. We hired Malaika, a local Uganda-based film crew, who captured this incredible footage of Namasale and of GLP and its students and teachers, and we are very proud of the outcome. 

Our goal in collaborating with Far Away Friends and our Uganda partners is to continue and to help accelerate the work that Far Away Friends began, and to create an effective learning environment for the next generation in Uganda. The completion of this solar and electrical project is a big step in that direction. 

You should feel proud too because your support of Wordfence is what enabled this project, so we thank you for being part of this incredible outcome and for your contribution.

Technical Data 

For those of you who are technically minded, we’re including the specifications of the solar installation at GLP. This includes the capacity of items like batteries, inverters, solar panels and quantities. The linked PDF also includes selected photos of the installation. 

Click here to view a PDF that contains the specifications of the GLP solar installation. 

If you’re interested in learning more about Far Away Friends and how you can help support them, visit: https://www.farawayfriends.org/.

If you’re interested in learning more about Wordfence, visit: www.wordfence.com

Thanks,

Mark Maunder

The post Wordfence Helps Enable Education in Uganda appeared first on Wordfence.

High Severity Vulnerability Patched in Access Demo Importer Plugin

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.

On August 9, 2021, the Wordfence Threat Intelligence team attempted to initiate the responsible disclosure process for a vulnerability that we discovered in Access Demo Importer, a WordPress plugin installed on over 20,000 sites. This flaw made it possible for authenticated attackers with just subscriber level access to upload arbitrary files that could be used to achieve remote code execution. On sites with open registration, an anonymous user could easily register and exploit this vulnerability.

We initially attempted to reach out to the plugin vendor on August 9, 2021 and made a few additional attempts to get in contact with the vendor over the next few weeks. As the vendor failed to respond after 2 weeks despite multiple contact attempts, we escalated the issue to the WordPress.org plugins team. The plugins team responded immediately and closed the plugin for downloads on August 27, 2021, pending a full review. A partially patched version of the plugin was reopened for downloads around September 7, 2021. After following up with the developer and the WordPress plugins team, a fully patched version of the plugin was released on September 21, 2021.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on August 9, 2021. Sites still using the free version of Wordfence received the same protection on September 8, 2021. As per our responsible disclosure policy, we are now fully disclosing the vulnerability details because enough time has elapsed since the fix was released.

If you have not already done so, we strongly recommend updating the latest version of the plugin available, 1.0.7, as soon as possible to ensure your site is not vulnerable to this security issue.


Description: Authenticated Arbitrary File Upload
Affected Plugin: Access Demo Importer
Plugin Slug: access-demo-importer
Affected Versions: <= 1.0.6
CVE ID: CVE-2021-39317
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 1.0.7

Access Demo Importer is a plugin designed to import demo content for themes developed by AccessPress Themes. The importer functionality will import everything from content and photos, to plugins required to optimize a site’s functionality. One feature the plugin integrated was the ability to install plugins that are hosted outside of the WordPress.org repository during an import. Unfortunately, this functionality was insecurely implemented, making it possible for authenticated users to upload arbitrary files.

The plugin registers the wp_ajax_plugin_offline_installer AJAX action, which is tied to the plugin_offline_installer_callback function. This function takes the supplied file_location, which could be any external URL to a ZIP file, along with the other specifying parameters like slug, class_name, and file, and then retrieves the file’s contents and extracts the ZIP file to the plugins directory.

		public function plugin_offline_installer_callback() {
			$plugin = array();

			$file_location = $plugin['location'] = isset( $_POST['file_location'] ) ? sanitize_text_field( wp_unslash( $_POST['file_location'] ) ) : '';
			$file 			= isset( $_POST['file'] ) ? sanitize_text_field( wp_unslash( $_POST['file'] ) ) : '';
			$host_type 		= isset( $_POST['host_type'] ) ? sanitize_text_field( wp_unslash( $_POST['host_type'] ) ) : '';
			$plugin_class 	= $plugin['class'] = isset( $_POST['class_name'] ) ? sanitize_text_field( wp_unslash( $_POST['class_name'] ) ) : '';
			$plugin_slug 	= $plugin['slug'] = isset( $_POST['slug'] ) ? sanitize_text_field( wp_unslash( $_POST['slug'] ) ) : '';
			$plugin_directory = WP_PLUGIN_DIR;

			$plugin_file = $plugin_slug . '/' . $file;

			if( $host_type == 'remote' ) {
				$file_location = $this->get_local_dir_path($plugin);
			}

			$zip = new ZipArchive();
			if ($zip->open($file_location) === TRUE) {
			    $zip->extractTo($plugin_directory);
			    $zip->close();

			    activate_plugin($plugin_file);

			    if( $host_type == 'remote' ) {
		    		unlink($file_location);
		    	}

			    echo 'success';

				die();
			} else {
			    echo 'failed';
			}

			die();
		}

Unfortunately, this function had no capability check, nor any nonce checks, which made it possible for authenticated users with minimal permissions, like subscribers, to install a zip file as a “plugin” from an external source. This “plugin” zip file could contain malicious PHP files, including webshells, that could be used to achieve remote code execution once extracted and ultimately be used to completely take over a site.

Disclosure Timeline

August 9, 2021 – Conclusion of the plugin analysis that led to the discovery of an arbitrary file upload vulnerability in the Access Demo Importer WordPress plugin. We develop a firewall rule to protect Wordfence customers and release it to Wordfence Premium users. We make an initial contact attempt with the plugin’s vendor.
August 10, 2021 – We discover an additional method to contact the plugin’s vendor and send another initial contact message.
August 18, 2021 – After no response, we attempt to reach out to the vendor again via a different contact.
August 27, 2021 – Due to no response, we reach out to the WordPress plugins teams and send over full disclosure details. The plugin is temporarily closed for downloads on the same day.
September 7, 2021 – The plugin is reopened for downloads containing a partial patch for the vulnerability. We attempt to reach out to the vendor, who responded to us after the WordPress.org team got in contact with them, to inform them that the plugin is still missing capability checks.
September 8, 2021 – Wordfence free users receive the firewall rule.
September 20, 2021 – We follow-up with the WordPress plugins team after no response from the developer again. They respond and let us know that they have informed the developer about the missing capability checks.
September 21, 2021 – A fully patched version of the plugin is released as version 1.0.7.

Conclusion

In today’s post, we detailed a flaw in Access Demo Importer that granted authenticated attackers the ability to upload arbitrary files, allowing them to perform remote code execution. This flaw was fully patched in version 1.0.7. We recommend that WordPress users immediately update to the latest version available, which is version 1.0.7 at the time of this publication.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on August 9, 2021. Sites still using the free version of Wordfence received the same protection on September 8, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a critical vulnerability that can lead to complete site takeover.

If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.

The post High Severity Vulnerability Patched in Access Demo Importer Plugin appeared first on Wordfence.

Pin It on Pinterest