We recently started proactively monitoring for evidence of some high risk vulnerabilities when changes are made to WordPress plugins and if we had more customers we could expand the proactive monitoring to more types of vulnerabilities. For the first time we have found an arbitrary file viewing vulnerability through this, which is  a type of vulnerability that is up there with the most likely to have exploit attempts. What is concerning about the vulnerability we found in the plugin WP Post Popup is how obvious the issue is and yet it had yet to be noticed.

In the file /public/includes/proxy.php the first code was:

15
16

if (isset($_GET['url'])) {
    echo file_get_contents($_GET['url']);

That code takes the value of the GET input “url”, passes it to the function file_get_contents(), and echo’s the result. So with that you can view the contents of any file on the website. Hackers would normally exploit that to the view the contents of the WordPress configuration file, wp-config.php file.

In addition to being able to be used for arbitrary file viewing, the vulnerability could be used for cross-site scripting (XSS) since file_get_contents() can also get the contents of URLs ” if the fopen wrappers have been enabled”.

We notified the developer and several hours later the vulnerability was resolved by removing that file and changing how the relevant functionality is handled.

Proof of Concept

The following proof of concept will display the contents of the WordPress configuration file, wp-config.php.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-content/plugins/wp-post-modal/public/includes/proxy.php?url=../../../../../wp-config.php

Timeline

• August 10, 2017 – Developer notified.
• August 10, 2017 – Developer responds.
• August 10, 2017 – Version 2.0.1 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?