The description of the plugin Companion Auto Update, which has 30,000+ active installations according to wordpress.org, starts with the message:
KEEP YOUR WEBSITE SAFE!
But the plugin itself introduces a cross-site request forgery (CSRF)/local file inclusion (LFI) vulnerability, as we found while doing some checking of the 1,000 most popular plugins in the Plugin Directory against some of the checks included in our automated tool for identifying possible security issues in WordPress plugins, the Plugin Security Checker. That tool isn’t something that is very advanced, so it is troubling that it is it able to detect so many vulnerabilities in some of the most popular plugins.
In this case, the tool would detect the possibility of a LFI vulnerability based on this line in the plugin (in the file /companion-auto-update.php):
require_once( 'admin/'.$_GET['tab'].'.php' );
Through path traversal that code could allow any file with a .php extension to be included, causing the code in the specified file to run.
What would determine if that is a vulnerability is how that code could be accessed and if the user input used on that line is somehow limited before it is accessed.
That line runs in the function cau_frontend(). That function doesn’t limit the user input, but that function is called when an admin page is loaded that is only accessible to user with the “manage_options” capability (normally only Administrators have that):
add_submenu_page( cau_menloc() , __('Auto Updater', 'companion-auto-update'), __('Auto Updater', 'companion-auto-update'), 'manage_options', 'cau-settings', 'cau_frontend' );
Seeing as Administrators can normally do whatever they want, them intending to use that for to cause file to be included wouldn’t be a vulnerability since among other things they could normally remove security code that would restrict something like this from being possible or just upload a plugin that runs any code they want already.
But in this case, an attacker can cause this to happen without the Administrator intending it since if the attacker could get the Administrator to visit a URL they specify they can cause the local file inclusion vulnerability to be exploited.
This vulnerability has existed in the plugin for over seven months without it being noticed, but anyone checking the plugin with our Plugin Security Checker would have been notified of the possible issue.
Due to the moderators of the WordPress Support Forum continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. If you have a problem with this type of full disclosure please contact the leadership of WordPress and let them know that the moderation of this forum needs to be cleaned up, since that is how these full disclosures will end (we hope they end soon).
Proof of Concept
The following proof of concept will cause a file named test.php in the root directory of the WordPress installation to be included, when logged in as an Administrator.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-admin/tools.php?page=cau-settings&tab=..%2F..%2Ftest&cau_page=advanced