11 Jul

Protecting You Against Wordfence’s Bad Practices: Missing Authorization Vulnerability in WP Maintenance Mode

Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.

Wordfence describes the missing authorization vulnerability in WP Maintenance Mode version 2.0.6 as “This vulnerability allows an attacker with a subscriber level account to modify plugin settings.”.

Like the information disclosure vulnerability that Wordfence mentions in the same post, what we found is that it didn’t actually exist in version 2.0.6. It had existed as of version 2.0.3 and had been fixed in 2.0.4. Strangely both of them had been fixed before Wordfence claims to have even contacted the developer about the vulnerabilities.

In version 2.0.3 the function reset_settings() was accessible through AJAX (in the file /includes/classes/wp-maintenance-mode-admin.php):

add_action('wp_ajax_wpmm_reset_settings', array($this, 'reset_settings'));

That would make it accessible to anyone logged in to WordPress, so a check needs to be done to insure an intended user is doing that, but no check was done:

130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
public function reset_settings() {
	if (empty($_REQUEST['tab'])) {
		return false;
	}
	$tab = $_REQUEST['tab'];
 
	if (empty($this->plugin_default_settings[$tab])) {
		return false;
	}
 
	// OPTIONS UPDATE
	$this->plugin_settings[$tab] = $this>plugin_default_settings[$tab];
	update_option('wpmm_settings', $this->plugin_settings);
 
	wp_send_json(array('success' => 1));
}

In version 2.0.4 the function first checks to make sure the user trying to access the function can manage_options, which is a capability only Administrators normally have:

177
178
179
180
181
182
public function reset_settings() {
	try {
		// check capabilities
		if (!current_user_can('manage_options')) {
			throw new Exception(__('You do not have access to this resource.', $this->plugin_slug));
		}

It is worth noting that Wordfence excluded the important detail that the user can only reset the settings to their default values and can not otherwise change them.

Proof of Concept

The following proof of concept will reset the plugin’s settings, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=wpmm_reset_settings

Leave a Reply

Your email address will not be published. Required fields are marked *