One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a less serious variant of a local file inclusion (LFI) vulnerability, which allows for evaluating the code in a specified file, in the plugin Social Share Buttons & Analytics by GetSocial.io. In this case through cross-site request forgery (CSRF) an attacker could cause a logged in Administrator to include cause a file with the .php extension to be included in the context of a WordPress page being loaded (so it could, for example, be used to access a plugin’s .php files that have code to restrict direct access to them).
The vulnerability has been in the plugin for four years without apparently being noticed.
The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool.
The plugin loads the file init.php when accessing its admin page:
add_menu_page( 'GetSocial', 'GetSocial', 'manage_options', slug_path('init.php'), '',
Access to that page is limited to those with the “manage_options” capability, so only Administrators. Administrators are allowed to take any action they want so a possible vulnerability accessible by them alone is only a concern if it accessible through CSRF or some other method where they don’t intend to take the action.
In the init.php if the WordPress option “gs-api-key” exists, which would if you have set up the plugin, then the following code will run:
72 73 74 75 76 77 78 79 80 81 82
<?php else: ?> <?php if( !isset($_GET['tab']) ): ?> <?php include('tmpl/apps_config.php') ?> <?php include('tmpl/apps_filters.php') ?> <?php include('tmpl/alerts.php') ?> <?php include('tmpl/apps.php') ?> <?php else: ?> <?php include('tmpl/apps_config.php') ?> <?php include('tmpl/apps_filters.php') ?> <?php include('tmpl/alerts.php') ?> <?php include('tmpl/apps/'.$_GET['tab'].'.php') ?>
With that code, if the GET input “tab” exists then its value will be used to specify a file to be included. Through directory traversal you can load any .php file on the website.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.
Proof of Concept
The following proof of concept will cause a file named test.php in the root directory of the WordPress installation to be included, when logged in as an Administrator. The plugin needs to be set up or your need to add the option “gs-api-key” to the options table in the WordPress database manually.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-admin/admin.php?page=wp-share-buttons-analytics-by-getsocial%2Finit.php&tab=../../../../../test