16 Nov

Our Proactive Monitoring Caught a Remote Code Execution Vulnerability Being Added to the Feedify WordPress Plugin

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Most of the vulnerabilities caught by that are due to only a few checks that we run over those changes, but one that we can’t recall flagging anything before did for a change made yesterday and it identified a serious issue. The new version of the Feedify plugin it turns out introduced a remote code execution (RCE) vulnerability.

In the new version of the plugin has the function feedify_run_cmd() run “once WP, all plugins, and the theme are fully loaded and instantiated“:

2
add_action( 'wp_loaded', 'feedify_run_cmd' );

So the function runs anytime a WordPress page is loaded.

That function, which is located in the file /includes/base.php, takes the value of the GET or POST input “feedify_cmd” and passes it to function call_user_func(), allowing any “built-in or user-defined function” to run:

146
147
148
149
150
151
152
function feedify_run_cmd() {
    if(isset($_REQUEST['feedify_cmd'])) {
        if( is_callable($_REQUEST['feedify_cmd']) ) {
            call_user_func($_REQUEST['feedify_cmd']);
        }
    }
}

The intended use of this in the plugin is to run a couple of its functions, which shouldn’t be handled close to this way.

Now that we have actually run across a plugin that got flagged by the check that spotted this we have now added it to our Plugin Security Checker, so when you run plugins through that they will now get check for this as well (though hopefully there are not other plugins that are this insecure).

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).

Proof of Concept

The following proof of concept will cause the function phpinfo() to run.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-ajax.php?feedify_cmd=phpinfo

Concerned About The Security of the Plugins You Use?

Through the end of the year you can get a free security review of a plugin or theme when you protect 100 websites with our service.

Leave a Reply

Your email address will not be published. Required fields are marked *