15 Aug

Authenticated User Deletion Vulnerability in Keypic

One common cause of vulnerabilities being discovered in WordPress plugins these day is functions made accessible through WordPress’ AJAX functionality that fail to check if the user making the request should accessing them. Since anyone who is logged in can make a request to them by default, if there isn’t any check done to insure only intended users are accessing them that can lead to functionality only intended to accessed by Administrators being accessible to people who shouldn’t have access. Recently we found that there is a related issue with the seemingly obscure action hook admin_action_, which also allows anyone logged in to access the connected functions. While do a quick look over security plugins for vulnerabilities caused by a failure to proper restrict access to these, we found that with the current version of the plugin Keypic, 2.1.2, that anyone logged in to WordPress can delete other users.

In the file /admin.php the admin_action_ for the function keypic_report_spam_and_delete_user() is registered:

99
add_action('admin_action_keypic_report_spam_and_delete_user', 'keypic_report_spam_and_delete_user');

Looking at the function it doesn’t do any check on who is making the request and it doesn’t do any nonce check to prevent cross-site request forgery(CSRF):

83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
function keypic_report_spam_and_delete_user()
{
	global $FormID;
 
	if(!(isset($_GET['id']) || (isset($_REQUEST['action']) && 'keypic_report_spam_and_delete_user' == $_REQUEST['action']))){return;}
 
	$keypic_users = get_option('keypic_users');
	$user = $keypic_users[$_GET['id']];
 
	Keypic::reportSpam($user['token']);
	wp_delete_user($_GET['id']);
 
	wp_redirect( $_SERVER['HTTP_REFERER'] );
	die();
}

You also see it will pass the user specified GET value of “id” to the function wp_delete_user(), which deletes the user.

It is also possible to delete comments through the function keypic_report_spam_and_delete_comment(), which is also accessible in the same way.

Proof of Concept

The following proof of concept will delete the specified user, when logged in to WordPress. Make sure to replace “[path to WordPress]” with the location of WordPress and “[user ID]” with the ID of the user you are trying to delete.

http://[path to WordPress]/wp-admin/admin.php?action=keypic_report_spam_and_delete_user&id=[User ID]

Timeline

  • 7/5/2016 – Developer notified.
  • 7/6/2016 – Developer responds.
  • 8/15/2016 – WordPress.org Plugin Directory notified.
  • 8/15/2016 – Plugin removed WordPress.org Plugin Directory.

Concerned About The Security of The Plugins You Use

When you are a paying customer of our service (you can currently try the service free for the first month), you get to suggest/vote on what plugins we will do security reviews of.

Leave a Reply

Your email address will not be published. Required fields are marked *