In a reminder of the negative impact of WordPress intentionally leaving those using vulnerable plugins unaware of it, there are still 3,000+ active installs, according to wordpress.org, of the plugin MailPress. Back in July of 2016 we noted that it appeared that hackers were targeting it, while disclosing a vulnerability we had found in it after noticing the apparent hacker interest. At the time the plugin had already been removed from the Plugin Directory and remains so today. The hacker interest has continued as well, as multiple times in the last week we have seen probing for usage of the plugin on our website.

In the meantime the developer has at various times submitted changes to the plugin and one of the recent changes was flagged by our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins. Maybe not surprisingly considering that the plugin appears to have had a vulnerability that was serious enough that hackers would be interested in exploiting it and that the developer has yet to get the issue resolved that lead to the plugin being removed, it turns out that versions of the plugin that have not been released contain a remote code execution vulnerability.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.

Technical Details

In the file /Mailpress.php the plugin registers the function mp_cron() to be accessible through WordPress’ AJAX functionality to those logged in to WordPress as well as those not logged in:

91
92

add_action( 'wp_ajax_mp_cron',			array( __CLASS__, 'mp_cron' ) );
add_action( 'wp_ajax_nopriv_mp_cron',		array( __CLASS__, 'mp_cron' ) );

That function will pass a value specified by the GET input “hook” to the WordPress function do_action(), which will “execute functions hooked on a specific action hook”:

345
346
347
348

public static function mp_cron() //wp_cron
{
	define( 'DOING_CRON', true );
	do_action( $_GET['hook'] );

Proof of Concept

The following proof of concept will cause the WordPress action/function do_feed_rss to run.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=mp_cron&hook=do_feed_rss

Concerned About The Security of the Plugins You Use?