During my recent search for a membership/community plugin I discovered PeepSo, which looks promising for a relatively new product. The WordPress.org plugin page claims there are 800+ users, so this isn’t going to affect too many users.
During initial analysis, I discovered a vulnerability that allows a logged in user to upgrade their account to be an administrator. If you are using PeepSo <= 1.6.0, upgrade immediately.
The developers were quick to respond and deal with this issue, the updated version restricts the meta keys that can be updated.
PeepSo AJAX Actions
PeepSo has implemented their own AJAX handler that is handled differently than the typical WordPress AJAX handler. Their handler allows any function that is a derivative of the PeepSoAjaxCallback class to be called by any user and it is up to the individual functions to provide any form of security. This isn’t necessarily a bad setup, but it does require developers to be extra careful when adding additional functionality.
Unfiltered User Input
A logged in user can call the PeepSoProfilePreferencesAjax->save() function and save meta data for their own account. The function does keep users from modifying an account other than their own. Simply by passing the ‘wp_capabilities’ meta key, a user can escalate their account to be an administrator.
- 6/22/2016 3:10pm Contact information requested
- 6/22/2016 7:10pm Response received from developer
- 6/22/2016 7:19pm Disclosure email sent
- 6/23/2016 2:31am Received copy of updated version of code
- 6/29/2016 Version 1.6.1 released on WordPress.org
While looking for a membership plugin for WordPress I stumbled on MemberSonic and the free version of their plugin MemberSonic Lite. After a 10 minute wait while watching their promotional video they finally email you a link to the Lite version. I could not find any indication on the site regarding how many sites/users their plugins have. It appears that they released something back in September of 2012, so there must be more than a handful of users out there.
Anyone using MemberSonic Lite should upgrade immediately, version 1.2 has a flaw allowing an unauthorized user to login to any account simply by knowing the email address associated with the account, this includes any accounts with administrator privileges.
I do not know if this affects the commercial version of the product and I have not done any further auditing of the Lite product. As of 6/28/2016, there has not been a new posting on their blog related to this issue or announcing an update to the Pro version.
- 6/20/2016 12:51pm Initial email attempt
- 6/22/2016 7:45am Additional email attempt
- 6/23/2016 2:49pm Final email attempt
- 6/23/2016 3:07pm Email response received
- 6/23/2016 3:16pm Full disclosure email sent
- 6/24/2016 9:53am Received updated version 1.301
- 6/24/2016 1:19pm Received updated version 1.302 that resolves original issue
In the quest for a good solution to allow different groups to control their own content on a WordPress site, I came across the Advanced Access Manager plugin. During a standard cursory investigation of the code I discovered that any logged in user could execute any of the AJAX actions without proper authorization.
As a normal subscriber account, I was able to give myself administrator privileges on the site and do much more.
The wordpress.org repository claims there are 50,000+ active installs of this plugin. If you are using a version <= 3.2.1, upgrade immediately.
The AJAX actions were protected only with the ‘aam_ajax’ nonce which could be leaked by passing in HTTP POST variable ‘action=aam’. The following function is called from the ‘admin_print_scripts’ action, which in turn calls the printLocalization() function which includes the nonce.
Unrestricted AJAX Actions
Once you have acquired a valid nonce, as a logged in user you can then call the ‘aam’ AJAX action.
Which will allow you to call any function in the ‘AAM_Backend_View’ class or in any class that begins with ‘AAM_Backend_’
Almost every action taken by this plugin goes through this function, so anything that an administrator can do is now accessible to anyone with basic login credentials.
- 5/11/2016 8:25pm Submitted contact form for initial contact
- 5/12/2016 5:34am Response received
- 5/12/2016 8:10am Initial Disclosure
- 6/15/2016 GitHub repository updated
- 6/20/2016 Version 3.2.2 released