04 May

Authenticated Information Disclosure Vulnerability in Page and Post Clone

The log message for version 1.1 of the plugin Page and Post Clone was “cookie exploit resolution”.  In looking at the changes made in that version to see if that was a vulnerability that we should add to our data we found that what was being fixed there was a cross-site request forgery (CSRF) vulnerability. As far we can think of, that seems of little consequence. In looking into that though we realized that the plugin did have a slightly more serious issue that we had previously also noticed in other plugins that provide the same functionality (one of the negatives of having so many WordPress plugins is that you can have the same vulnerabilities come up again and again as new plugins are introduced).

As of version 1.1 the plugin doesn’t check if the user cloning a page or post has the ability to edit the post, which could, for example, lead to a contributor-level user or author-level users gaining access to the contents of password protected posts.

Currently the only checking done in the function content_clone() is to see if the post ID of the page or post to clone is specified and for valid nonce (to prevent CSRF):

19
20
21
22
23
24
25
26
27
28
29
function content_clone(){
	global $wpdb;	
	if (! ( isset( $_GET['post']) || isset( $_POST['post'])  || ( isset($_REQUEST['action']) && 'content_clone' == $_REQUEST['action'] ) ) ) {
		wp_die('No post to duplicate has been supplied!');
	}
 
	/*
	 * Nonce verification
	 */
	if ( !isset( $_GET['clone_nonce'] ) || !wp_verify_nonce( $_GET['clone_nonce'], basename( __FILE__ ) ) )
		return;

The nonce is accessible to anyone that can the Pages and or Posts menu and had the edit_posts capability:

113
114
115
116
117
118
function content_clone_link( $actions, $post ) {
	if (current_user_can('edit_posts')) {			
		$actions['duplicate'] = '<a title="Clone!" href="' . wp_nonce_url('admin.php?action=content_clone&post=' . $post->ID, basename(__FILE__), 'clone_nonce' ) . '" rel="permalink">Clone</a>';
	}
	return $actions;
}

The code should check if the user can edit the specific post being cloned, as that would restrict them from gaining access to posts they could not otherwise access.

We notified the developer of the issue a week ago. We haven’t heard back from them and no new version has been released to fix the issue. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof Concept

Create a password protected post as one user and then as a separate Contributor-level user click the Clone link under that post.

Timeline

  • April 27, 2018 – Developer notified.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *