05 Jul

Authenticated Information Disclosure Vulnerability in Email Log

When thinking about the security of WordPress plugins the more obvious concern is vulnerabilities that lead to websites being hacked, but for more high profile website there should also be plenty of concern for other issues, like the leaking of potential sensitive information. A wide range of plugins interact with that type of information, but the security of them doesn’t seem to be very well looked after either by the developers or the public that are using them based on some the vulnerabilities we are discovering.

We recently took a look over plugins that allow logging emails sent by the website, which depending on what is included could be rather sensitive. In a couple of cases we found that the logged emails were viewable by anyone logged in to WordPress. In the first, Email Log, the logged emails are displayed by the function display_content_callback() which is accessed through AJAX request.

147
add_action( 'wp_ajax_display_content', array( $this, 'display_content_callback' ) );

Since that makes it accessible to anyone logged in to WordPress there should be a check to make sure the user should be able to access it, which in this case would be only Administrator level users. But in looking at the function in version 1.9 of the plugin you can see that doesn’t happen:

297
298
299
300
301
302
303
304
305
306
307
308
309
public function display_content_callback() {
	global $wpdb;
 
	$table_name = $wpdb->prefix . self::TABLE_NAME;
	$email_id   = absint( $_GET['email_id'] );
 
	$query      = $wpdb->prepare( 'SELECT * FROM ' . $table_name . ' WHERE id = %d', $email_id );
	$content    = $wpdb->get_results( $query );
 
	echo wpautop( $content[0]->message );
 
	die(); // this is required to return a proper result
}

After notifying the developer of the issue they released version 1.9.1, which fixes the the vulnerability by checking if the request is sent by someone who can “manage_options” before displaying the logged email:

297
298
299
300
301
public function display_content_callback() {
	global $wpdb;
 
	if ( current_user_can( 'manage_options' ) ) {
		$table_name = $wpdb->prefix . self::TABLE_NAME;

Proof of Concept

The following proof of concept will display the first logged email, when submitted while logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=display_content&email_id=1

Timeline

  • 7/1/2016 – Developer notified.
  • 7/1/2016 – Version 1.9.1 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *