Home » wordpress » Page 2

Tag: wordpress

Ultimate Member < 1.3.84 allows executing arbitrary WordPress shortcodes

by James Golovich

Shortcode Injection Vulnerability

Ultimate Member versions older than 1.3.84 allow unauthenticated users to execute arbitrary WordPress shortcodes via AJAX. The vulnerable code exists as far back as version 1.0.0 when the plugin was first published. If you are using any version of this plugin, update immediately. At this time, the plugin revision notes do not address this vulnerability nor has the developer released any information related to this issue.

The default WordPress shortcodes are relatively secure but other installed plugins often include insecure shortcodes, including the Ultimate Member plugin. Some of the Ultimate Member shortcodes are documented at http://docs.ultimatemember.com/article/210-ultimate-member-shortcodes.

Executing arbitrary shortcodes

Ultimate Member adds the ‘ultimatemember_frontend_modal’ AJAX action which is accessible to anyone whether they are logged in or not. This allows passing arbitrary arguments to the do_shortcode() function and returns the results.

 

Include arbitrary PHP files

Using directory traversal and the ‘ultimatemember_account’ shortcode PHP files accessible on the host can be included. The following function is what is called when the ‘ultimatemember_account’ shortcode is executed.

 

Adding a template argument to the shortcode allows the PHP file to be included.

For example the following shortcode call allows viewing some user stats from the dashboard:

[ultimatemember_account template=../admin/templates/dashboard/users]

If a method could be discovered that allows uploading arbitrary PHP code, this could be used to execute that code.

Timeline

NinjaForms < 3.0.32 allows injecting arbitrary WordPress shortcodes

by James Golovich

Back in March 2016 Ninja Forms version 3.0 started to roll out, there was an unknown vulnerability at the time that allowed unauthenticated end users to inject arbitrary WordPress shortcodes via form field submissions. The issue was resolved in version 3.0.31.

The default WordPress shortcodes do not provide much further access and accessing the [ninja-forms] shortcode would only allow an attacker to preview un-published forms. While these shortcodes could allow leverage for further attacks by default this is a very minor issue, though if a site has additional plugins installed that provide shortcodes then this vulnerability could be leveraged to execute those.

Timeline

  • 10/27/2016 First contact to vendor regarding issue
  • 10/27/2016 Received vendor support reply saying they will forward on the issue
  • 11/9/2016 Version 3.0.15 released
  • 11/10/2016 Second contact regarding issue
  • 11/21/2016 Version 3.0.16 released
  • 11/22/2016 Third contact regarding issue
  • 12/6/2016 Version 3.0.18 released
  • 2/28/2016 Version 3.0.30 released
  • 3/2/2017 Fourth attempt regarding issue
  • 3/3/2017 Reply from developer saying they see the issue and will be resolved
  • 3/7/2017 Version 3.0.31 released

PeepSo <= 1.6.0 Logged in user privilege escalation

by James Golovich

During my recent search for a membership/community plugin I discovered PeepSo, which looks promising for a relatively new product. The WordPress.org plugin page claims there are 800+ users, so this isn’t going to affect too many users.

During initial analysis, I discovered a vulnerability that allows a logged in user to upgrade their account to be an administrator. If you are using PeepSo <= 1.6.0, upgrade immediately.

The developers were quick to respond and deal with this issue, the updated version restricts the meta keys that can be updated.

PeepSo AJAX Actions

PeepSo has implemented their own AJAX handler that is handled differently than the typical WordPress AJAX handler. Their handler allows any function that is a derivative of the PeepSoAjaxCallback class to be called by any user and it is up to the individual functions to provide any form of security. This isn’t necessarily a bad setup, but it does require developers to be extra careful when adding additional functionality.

Unfiltered User Input

A logged in user can call the PeepSoProfilePreferencesAjax->save() function and save meta data for their own account. The function does keep users from modifying an account other than their own. Simply by passing the ‘wp_capabilities’ meta key, a user can escalate their account to be an administrator.

peepso-usersave1

 

Timeline

  • 6/22/2016 3:10pm Contact information requested
  • 6/22/2016 7:10pm Response received from developer
  • 6/22/2016 7:19pm Disclosure email sent
  • 6/23/2016 2:31am Received copy of updated version of code
  • 6/29/2016 Version 1.6.1 released on WordPress.org