During my recent search for a membership/community plugin I discovered PeepSo, which looks promising for a relatively new product. The WordPress.org plugin page claims there are 800+ users, so this isn’t going to affect too many users.

During initial analysis, I discovered a vulnerability that allows a logged in user to upgrade their account to be an administrator. If you are using PeepSo <= 1.6.0, upgrade immediately.

The developers were quick to respond and deal with this issue, the updated version restricts the meta keys that can be updated.

PeepSo AJAX Actions

PeepSo has implemented their own AJAX handler that is handled differently than the typical WordPress AJAX handler. Their handler allows any function that is a derivative of the PeepSoAjaxCallback class to be called by any user and it is up to the individual functions to provide any form of security. This isn’t necessarily a bad setup, but it does require developers to be extra careful when adding additional functionality.

Unfiltered User Input

A logged in user can call the PeepSoProfilePreferencesAjax->save() function and save meta data for their own account. The function does keep users from modifying an account other than their own. Simply by passing the ‘wp_capabilities’ meta key, a user can escalate their account to be an administrator.

 

Timeline

• 6/22/2016 3:10pm Contact information requested
• 6/22/2016 7:10pm Response received from developer
• 6/22/2016 7:19pm Disclosure email sent
• 6/23/2016 2:31am Received copy of updated version of code
• 6/29/2016 Version 1.6.1 released on WordPress.org